From patchwork Fri Jan 5 21:29:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Trimble X-Patchwork-Id: 7153 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.2.78.2 with SMTP id r2csp1256602jaa; Fri, 5 Jan 2018 13:30:05 -0800 (PST) X-Google-Smtp-Source: ACJfBouBUVUR2Hg8uPQVwAY+lIXawegFSPJPArPTpy+9OYN/5cPfbySEYop/0UnzalYUgJNM5oTG X-Received: by 10.223.200.140 with SMTP id k12mr3719288wrh.98.1515187805063; Fri, 05 Jan 2018 13:30:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515187805; cv=none; d=google.com; s=arc-20160816; b=kwnZ9qHdGFOogAutvrwAquZhOLDVy17QHgJxupeoZYAEZvEyxj+KCHXlyX2kBONL00 TcJhJ/TmDRGiHqYcquuttddByqh/d0YyLJKyhNd4DvGv5okPX/Vo+Tqpv8IJvPtIXkKm uYpvQHsTVfpqozF2eRHuNMVsDPCoiB+hh3FFUNRBlOKbv4pUF0ohO/tIVJv6GObVAXRt OV9pZVSFwiVSiDOBsgR+4BnQUhAouzuD/T0T+tpIj9PccrdjCob76E08H1LvCo07MZuZ /mNH9e3RSd5kjxsp4YMzbXMAQMBMKsfFoRD1h24GQWLmIcMEcNqNc6OJk62ZTZy1cx6x /8ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:delivered-to:arc-authentication-results; bh=hPiCffxOI81/h/c7FDh3618Uqbe3lJpi3uIt8PnjqH8=; b=M9x/y6PP26UH+nlTZsNu2gGAkzlCLoWzPCZcXAysV1RQInKAwfPMFvB2iJvZwrgGGD 1jiNc/SDK9ncPamcNjmld8Kx8lD0fdxIDOpz/V+nYZKZd16S7v5d+50tX+P44yQyyDnV 51jRSeyLvqdvZJLqoohroH0fKjkRNDw49YtLTcBMFBHClFYM5dYzNJoJw5xIhLEb4ALF 2BangNULTYc+kaBDvRxmpuOadsgAHKHoifxTK0s8Uzf9mTKs5eqT/vE4Lqn7yfPly1UE Lejj9/eyw0itLqNNbIvtsSdEYwkZnB2y087tHFPVP4BgpvZ4Ye4fstKSIs2Jj2OwOVxC wyNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=AL9nKGf1; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u4si5234716wru.314.2018.01.05.13.30.04; Fri, 05 Jan 2018 13:30:05 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=AL9nKGf1; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7AE56689B3A; Fri, 5 Jan 2018 23:30:03 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com [209.85.213.47]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1897C689AC6 for ; Fri, 5 Jan 2018 23:29:57 +0200 (EET) Received: by mail-vk0-f47.google.com with SMTP id m15so4262966vkf.13 for ; Fri, 05 Jan 2018 13:29:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=kan0MnRBOEBryQQFbWjOLehAu1SGZDz+gkC/Mpzj2Zw=; b=AL9nKGf1gvoSOL9hYApWDi49KDW2OYThGzBKuQnCkcjBOAWWKJnCkX05HQtm/oX+Ew Rvzw9jeLS2ikdLFRIhltklooB7L2Z5jaL99HRssrYeLrEbfZOQq/SGEHnZIqM5pnCRx6 8a15BYFbAyXg9jmHbeWT2kqIzuTbM2rpVTLlEqWyZtbg8Kbqoiqi/TWAbkeH6RTxsZLX 43qUYyu9+HD74vA1a7YTHHVtbDyyW5JH90PM2AX8EWvkq/M9gDpYDrIocCn8wieTUGph Puo85ztpgjbaxvBQzQYIlnTPWYslljfkaG7wSiBdmsPBNC13SRbObNfWVrk4DwFpKUuM iBBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=kan0MnRBOEBryQQFbWjOLehAu1SGZDz+gkC/Mpzj2Zw=; b=sMKES8vp5AE22uSBVbK3y+h6SLM7uWB+AC5Udlp4v2JmvtIz0/H/TApvgyPDKjqBQJ F7667L19kw1zE2L48tLKz4oqzdgWi4gkeynLaBGSjeVRK9iNC4GthtkR7y/l5ljhsFby 1u9pwe/cCVtIlq/NFcsSZpMvcB0QBn3hrNsEDkVuAcaZBTgXZNT9PRAN4A0B47yeIELQ h1ah9augh5WC4fXCI4933XOWbSEi8SJVB12hhciQGWpBtuxWuIibhfw3vC8pI4ZLolQc pdBlIWXpg4iA6/0aJZ7z1y/Hg962U4digRjJ715OQBbcv8ejGcE6bhbjXzbJdM4mCr/e kNBQ== X-Gm-Message-State: AKwxyted4P5sssBoV5rudJzDHuw/V4W3RWAeSvw5o2ZAsc2n+iSzYLpm J3UiJQjsqbx5Ekeb3uBGhzuUZwpBuOulZgZlwsbZ1Pap X-Received: by 10.31.237.195 with SMTP id l186mr3975370vkh.30.1515187795030; Fri, 05 Jan 2018 13:29:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.214.138 with HTTP; Fri, 5 Jan 2018 13:29:54 -0800 (PST) In-Reply-To: References: <20180105194928.104085-1-modmaker@google.com> <20180105194928.104085-2-modmaker@google.com> From: Jacob Trimble Date: Fri, 5 Jan 2018 13:29:54 -0800 Message-ID: To: FFmpeg development discussions and patches Subject: Re: [FFmpeg-devel] [PATCH 2/3] avformat/mov: Fix parsing of saio/siaz atoms in encrypted content. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On Fri, Jan 5, 2018 at 12:41 PM, Carl Eugen Hoyos wrote: > 2018-01-05 20:49 GMT+01:00 Jacob Trimble : > >> + entry_count = avio_rb32(pb); >> + encryption_index->auxiliary_offsets = av_malloc_array(sizeof(size_t), entry_count); > > (sizeof(variable) instead of sizeof(type), please.) > > But since this could be used for a dos attack, please change this > to something similar to 1112ba01. > If it is easy to avoid it, very short files should not allocate > gigabytes. Switched to calculating the size based on the number of remaining bytes and returning an error if it doesn't match what is read. > > Carl Eugen > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel From 3c60b4bf10f8711a8db70bf74cc5e4b8ce3d50e0 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Wed, 6 Dec 2017 16:17:54 -0800 Subject: [PATCH] avformat/mov: Fix parsing of saio/siaz atoms in encrypted content. This doesn't support saio atoms with more than one offset. Signed-off-by: Jacob Trimble --- libavformat/isom.h | 6 ++ libavformat/mov.c | 186 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 192 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index 3794b1f0fd..3de8053da2 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -114,6 +114,12 @@ typedef struct MOVEncryptionIndex { // settings will be used. unsigned int nb_encrypted_samples; AVEncryptionInfo **encrypted_samples; + + uint8_t* auxiliary_info_sizes; + size_t auxiliary_info_sample_count; + uint8_t auxiliary_info_default_size; + size_t* auxiliary_offsets; ///< Absolute seek position + size_t auxiliary_offsets_count; } MOVEncryptionIndex; typedef struct MOVFragmentStreamInfo { diff --git a/libavformat/mov.c b/libavformat/mov.c index eb3fb71e2a..9ff4a809b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5835,6 +5835,177 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } +static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOContext *pb, MOVEncryptionIndex *encryption_index) +{ + AVEncryptionInfo **sample; + int64_t prev_pos; + size_t sample_count, sample_info_size, i; + int ret = 0; + + if (encryption_index->nb_encrypted_samples) + return 0; + sample_count = encryption_index->auxiliary_info_sample_count; + if (encryption_index->auxiliary_offsets_count != 1) { + av_log(c->fc, AV_LOG_ERROR, "Multiple auxiliary info chunks are not supported\n"); + return AVERROR_PATCHWELCOME; + } + + encryption_index->encrypted_samples = av_mallocz_array(sizeof(AVEncryptionInfo*), sample_count); + if (!encryption_index->encrypted_samples) + return AVERROR(ENOMEM); + encryption_index->nb_encrypted_samples = sample_count; + + prev_pos = avio_tell(pb); + if (avio_seek(pb, encryption_index->auxiliary_offsets[0], SEEK_SET) != encryption_index->auxiliary_offsets[i]) { + av_log(c->fc, AV_LOG_INFO, "Failed to seek for auxiliary info, will only parse senc atoms for encryption info\n"); + goto finish; + } + + for (i = 0; i < sample_count; i++) { + sample = &encryption_index->encrypted_samples[i]; + sample_info_size = encryption_index->auxiliary_info_default_size + ? encryption_index->auxiliary_info_default_size + : encryption_index->auxiliary_info_sizes[i]; + + ret = mov_read_sample_encryption_info(c, pb, sc, sample, sample_info_size > sc->cenc.per_sample_iv_size); + if (ret < 0) + goto finish; + } + +finish: + avio_seek(pb, prev_pos, SEEK_SET); + return ret; +} + +static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + MOVEncryptionIndex *encryption_index; + MOVStreamContext *sc; + int ret; + unsigned int sample_count, has_saiz_type; + + ret = get_current_encryption_info(c, &encryption_index, &sc); + if (ret != 1) + return ret; + + if (encryption_index->nb_encrypted_samples) { + // This can happen if we have both saio/saiz and senc atoms. + av_log(c->fc, AV_LOG_DEBUG, "ignoring duplicate encryption info in saiz\n"); + return 0; + } + + if (encryption_index->auxiliary_info_sample_count) { + av_log(c->fc, AV_LOG_ERROR, "duplicate saiz atom\n"); + return AVERROR_INVALIDDATA; + } + + avio_r8(pb); /* version */ + has_saiz_type = avio_rb24(pb) & 0x01; /* flags */ + if (has_saiz_type) { + if (avio_rb32(pb) != sc->cenc.default_encrypted_sample->scheme) { + av_log(c->fc, AV_LOG_DEBUG, "ignoring saiz box with non-zero aux_info_type\n"); + return 0; + } + if (avio_rb32(pb) != 0) { + av_log(c->fc, AV_LOG_DEBUG, "ignoring saiz box with non-zero aux_info_type_parameter\n"); + return 0; + } + } + + encryption_index->auxiliary_info_default_size = avio_r8(pb); + sample_count = avio_rb32(pb); + encryption_index->auxiliary_info_sample_count = sample_count; + + if (encryption_index->auxiliary_info_default_size == 0) { + if (atom.size - 9 - (has_saiz_type ? 8 : 0) != sample_count) { + av_log(c->fc, AV_LOG_ERROR, "incorrect sample_count in saiz\n"); + return AVERROR_INVALIDDATA; + } + + encryption_index->auxiliary_info_sizes = av_malloc(sample_count); + if (!encryption_index->auxiliary_info_sizes) + return AVERROR(ENOMEM); + if (avio_read(pb, encryption_index->auxiliary_info_sizes, sample_count) != sample_count) { + av_log(c->fc, AV_LOG_ERROR, "failed to read the auxiliary info\n"); + return AVERROR_INVALIDDATA; + } + } + + if (encryption_index->auxiliary_offsets_count) { + return mov_parse_auxiliary_info(c, sc, pb, encryption_index); + } + + return 0; +} + +static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + MOVEncryptionIndex *encryption_index; + MOVStreamContext *sc; + int i, ret; + unsigned int version, entry_count, has_saio_type; + + ret = get_current_encryption_info(c, &encryption_index, &sc); + if (ret != 1) + return ret; + + if (encryption_index->nb_encrypted_samples) { + // This can happen if we have both saio/saiz and senc atoms. + av_log(c->fc, AV_LOG_DEBUG, "ignoring duplicate encryption info in saio\n"); + return 0; + } + + if (encryption_index->auxiliary_offsets_count) { + av_log(c->fc, AV_LOG_ERROR, "duplicate saio atom\n"); + return AVERROR_INVALIDDATA; + } + + version = avio_r8(pb); /* version */ + has_saio_type = avio_rb24(pb) & 0x01; /* flags */ + if (has_saio_type) { + if (avio_rb32(pb) != sc->cenc.default_encrypted_sample->scheme) { + av_log(c->fc, AV_LOG_DEBUG, "ignoring saio box with non-zero aux_info_type\n"); + return 0; + } + if (avio_rb32(pb) != 0) { + av_log(c->fc, AV_LOG_DEBUG, "ignoring saio box with non-zero aux_info_type_parameter\n"); + return 0; + } + } + + entry_count = (atom.size - 8 - (has_saio_type ? 8 : 0)) / (version == 0 ? 4 : 8); + if (avio_rb32(pb) != entry_count) { + av_log(c->fc, AV_LOG_ERROR, "incorrect entry_count in saio\n"); + return AVERROR_INVALIDDATA; + } + encryption_index->auxiliary_offsets = + av_malloc_array(sizeof(*encryption_index->auxiliary_offsets), entry_count); + if (!encryption_index->auxiliary_offsets) + return AVERROR(ENOMEM); + encryption_index->auxiliary_offsets_count = entry_count; + + if (version == 0) { + for (i = 0; i < entry_count; i++) { + encryption_index->auxiliary_offsets[i] = avio_rb32(pb); + } + } else { + for (i = 0; i < entry_count; i++) { + encryption_index->auxiliary_offsets[i] = avio_rb64(pb); + } + } + if (c->frag_index.current >= 0) { + for (i = 0; i < entry_count; i++) { + encryption_index->auxiliary_offsets[i] += c->fragment.base_data_offset; + } + } + + if (encryption_index->auxiliary_info_sample_count) { + return mov_parse_auxiliary_info(c, sc, pb, encryption_index); + } + + return 0; +} + static int mov_read_schm(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; @@ -6050,6 +6221,17 @@ static int cenc_filter(MOVContext *mov, MOVStreamContext *sc, AVPacket *pkt, int } if (encryption_index) { + if (encryption_index->auxiliary_info_sample_count && + !encryption_index->nb_encrypted_samples) { + av_log(mov->fc, AV_LOG_ERROR, "saiz atom found without saio\n"); + return AVERROR_INVALIDDATA; + } + if (encryption_index->auxiliary_offsets_count && + !encryption_index->nb_encrypted_samples) { + av_log(mov->fc, AV_LOG_ERROR, "saio atom found without saiz\n"); + return AVERROR_INVALIDDATA; + } + if (!encryption_index->nb_encrypted_samples) { // Full-sample encryption with default settings. encrypted_sample = sc->cenc.default_encrypted_sample; @@ -6194,6 +6376,8 @@ static const MOVParseTableEntry mov_default_parse_table[] = { { MKTAG('s','i','n','f'), mov_read_default }, { MKTAG('f','r','m','a'), mov_read_frma }, { MKTAG('s','e','n','c'), mov_read_senc }, +{ MKTAG('s','a','i','z'), mov_read_saiz }, +{ MKTAG('s','a','i','o'), mov_read_saio }, { MKTAG('s','c','h','m'), mov_read_schm }, { MKTAG('s','c','h','i'), mov_read_default }, { MKTAG('t','e','n','c'), mov_read_tenc }, @@ -6589,6 +6773,8 @@ static void mov_free_encryption_index(MOVEncryptionIndex **index) { av_encryption_info_free((*index)->encrypted_samples[i]); } av_freep(&(*index)->encrypted_samples); + av_freep(&(*index)->auxiliary_info_sizes); + av_freep(&(*index)->auxiliary_offsets); av_freep(index); } -- 2.16.0.rc0.223.g4a4ac83678-goog