diff mbox series

[FFmpeg-devel,5/7] avutil/aes: Don't use out-of-bounds index

Message ID AS8P250MB074437D16DC80FE56959DD378F2D9@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM
State Accepted
Commit f49375f28ff22af19d8a259bd21def5e876dc97b
Headers show
Series [FFmpeg-devel,1/7] avcodec/snow_dwt: Fix left shifts of negative numbers | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished

Commit Message

Andreas Rheinhardt Oct. 21, 2022, 6:59 p.m. UTC
Up until now, av_aes_init() uses a->round_key[0].u8 + t
as dst of memcpy where it is intended for t to be greater
than 16 (u8 is an uint8_t[16]); given that round_key itself
is an array, it is actually intended for dst to be
in a latter round_key member. To do this properly,
just cast a->round_key to unsigned char*.

This fixes the srtp, aes, aes_ctr, mov-3elist-encrypted,
mov-frag-encrypted and mov-tenc-only-encrypted
FATE-tests with (Clang-)UBSan.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavutil/aes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libavutil/aes.c b/libavutil/aes.c
index 8b78daa782..2f08fb4164 100644
--- a/libavutil/aes.c
+++ b/libavutil/aes.c
@@ -253,7 +253,7 @@  int av_aes_init(AVAES *a, const uint8_t *key, int key_bits, int decrypt)
                     tk[j][i] ^= sbox[tk[j - 1][i]];
         }
 
-        memcpy(a->round_key[0].u8 + t, tk, KC * 4);
+        memcpy((unsigned char*)a->round_key + t, tk, KC * 4);
     }
 
     if (decrypt) {