From patchwork Thu Nov 24 00:06:35 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1541 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp3024258vsb; Wed, 23 Nov 2016 16:06:53 -0800 (PST) X-Received: by 10.194.101.97 with SMTP id ff1mr6159314wjb.67.1479946013213; Wed, 23 Nov 2016 16:06:53 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f187si5275981wmg.1.2016.11.23.16.06.52; Wed, 23 Nov 2016 16:06:53 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9F9F3689756; Thu, 24 Nov 2016 02:06:46 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wj0-f194.google.com (mail-wj0-f194.google.com [209.85.210.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0340F6891ED for ; Thu, 24 Nov 2016 02:06:39 +0200 (EET) Received: by mail-wj0-f194.google.com with SMTP id f8so2144162wje.2 for ; Wed, 23 Nov 2016 16:06:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to; bh=jjR6GLUUfq5NOtR2vVS4/la7ZYmKIOydUCIUpeSpejc=; b=h81t00IDAZMCBTGuknjZQwfjv6SZNnVVvHx3bP1fi+Br7zRkvnaUGlqnOSqyt5CFms ThfRfVj9N7zzb3wShMDjSgqz/Y33MDIJhZeCDjruhytziFldMqKbltSFKFfTjDLS1OP1 LkHgufuaoHXdnrHpP5mDSKUszaedX7hnnvXLcZM+AGQoCG5BYYu94YgjksMVbJ+wzmRq aOWPCj/wOOG6r+7LUYRYwvcquOXVcZMHyAhGRl7tAT4jO6nMo64hOM3c89hmEdjypSDJ MHPHwHQPEquYwX093puM1X3Q75t7Q37pDS48UndJmwRMPTcyM270wAMStJHCAe91AM58 g6kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to; bh=jjR6GLUUfq5NOtR2vVS4/la7ZYmKIOydUCIUpeSpejc=; b=WkUi+2T3XHQfIhYlu+VT7CYy3CSqUSwuutIyal5p+ZyykUxoT3iF3KoMlMjV3jJpEZ FH5mlnlcaw6eoBSlWZFy3sshfp0L3SmrJnO6j7Bdo/1foShVSop4gF3NCQ3NeTTwtDPn SnmIniDlszsnYvfQI8DtckikoDbLpMqMjk4/eqFiauOyd9OnbAT+sGKBL76/sHBrvwVT VMQS6qauqZdeVNa4vZ10zHXCFVTM9kEgzeqKRgh6IJ3jQ9JjmTRX3IBw/9BLsk8xuBDD cL1S+qaYl2BGwGBfgjkGdW4ERStGaKx58C6p0WEx2VkVhIYAH6B4AIIoxJWazHVbioXu FM7w== X-Gm-Message-State: AKaTC01wjxKC1VjW8t4D4m04u5dyMc9QoRPs2aH7rNI/mzaOuibGFa/nAKNeajVLkhcoPA== X-Received: by 10.194.201.103 with SMTP id jz7mr5868764wjc.70.1479946003194; Wed, 23 Nov 2016 16:06:43 -0800 (PST) Received: from [192.168.2.21] (p5B0729FA.dip0.t-ipconnect.de. [91.7.41.250]) by smtp.googlemail.com with ESMTPSA id 14sm5252797wmk.1.2016.11.23.16.06.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Nov 2016 16:06:42 -0800 (PST) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: ffmpeg-devel@ffmpeg.org, libav development References: <65a476e6-92fb-667f-7d38-65bd40756892@gentoo.org> <78469d02-ce34-0614-e81f-fe663e7bf9f0@googlemail.com> <20161114195416.24597.66443@localhost> <19b88f10-14fc-4b3b-2d0f-ad60a86f6de0@googlemail.com> <20161123020729.GV4824@nb4> Message-ID: <9fc253e0-cb6d-eb66-66c5-af6f7c37e903@googlemail.com> Date: Thu, 24 Nov 2016 01:06:35 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161123020729.GV4824@nb4> Subject: Re: [FFmpeg-devel] [libav-devel] [PATCH] libopusdec: fix out-of-bounds read X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On 23.11.2016 03:07, Michael Niedermayer wrote: > On Mon, Nov 14, 2016 at 09:55:15PM +0100, Andreas Cadhalpun wrote: >> libopusdec.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> 0b663c14f4a6dae3e1da453239dbe429aef7886e 0001-libopusdec-default-to-stereo-for-invalid-number-of-c.patch >> From d33ded293d15e8ceab666bea834d436f3a225bcc Mon Sep 17 00:00:00 2001 >> From: Andreas Cadhalpun >> Date: Mon, 14 Nov 2016 21:41:45 +0100 >> Subject: [PATCH] libopusdec: default to stereo for invalid number of channels >> >> This fixes an out-of-bounds read if avc->channels is 0. >> >> Signed-off-by: Andreas Cadhalpun >> --- >> libavcodec/libopusdec.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c >> index acc62f1..61f68ed 100644 >> --- a/libavcodec/libopusdec.c >> +++ b/libavcodec/libopusdec.c >> @@ -47,6 +47,12 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) >> int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled; >> uint8_t mapping_arr[8] = { 0, 1 }, *mapping; >> >> + if (avc->channels <= 0) { >> + av_log(avc, AV_LOG_WARNING, >> + "Invalid number of channels %d, defaulting to stereo\n", avc->channels); >> + avc->channels = 2; >> + } > > This looks wrong > > opusdec uses ff_opus_parse_extradata() to set the number of channels > from extradata. > > The value provided by the demuxer if any should not matter However, extradata does not necessarily exist and in that case ff_opus_parse_extradata defaults to stereo, unless the demuxer has set channels to 1. This can also be done in libopusdec, but channels can still be 0, if the channel count in extradata is 0, so the above default setting is needed regardless. Attached is an updated patch. Best regards, Andreas From 7bee9f96947c76e6581e9bfa5ce87c3c94a1565e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Nov 2016 21:41:45 +0100 Subject: [PATCH] libopusdec: default to stereo for invalid number of channels This fixes an out-of-bounds read if avc->channels is 0. Signed-off-by: Andreas Cadhalpun --- libavcodec/libopusdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index acc62f1..e6ca61a 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -47,6 +47,13 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled; uint8_t mapping_arr[8] = { 0, 1 }, *mapping; + avc->channels = avc->extradata_size >= 10 ? avc->extradata[9] : (avc->channels == 1) ? 1 : 2; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_WARNING, + "Invalid number of channels %d, defaulting to stereo\n", avc->channels); + avc->channels = 2; + } + avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; -- 2.10.2