From patchwork Thu Apr 19 22:04:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Trimble X-Patchwork-Id: 8514 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:155:0:0:0:0:0 with SMTP id c82-v6csp1166094jad; Thu, 19 Apr 2018 15:05:09 -0700 (PDT) X-Google-Smtp-Source: AIpwx49fWsToFQU8D1dC0+SDyEav4bEHyTPLoXL6RfP/c0Fp1wyCIv4ctDdW0vsxhBcmw7hPdpgA X-Received: by 2002:adf:8ab7:: with SMTP id y52-v6mr6103711wry.98.1524175509679; Thu, 19 Apr 2018 15:05:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524175509; cv=none; d=google.com; s=arc-20160816; b=Vu4N0FgdOd/FgF1uuwOHJ9oWrYzeCvMYGQ6D1Ns5SMn2IfTnH/9RV2DtduFUszDU2n vQa8L849wUDBeFl+S6UmWIH47Mmau73BqPDY7kXNSBeI0Tela2EKmP5bUMsW2Jo6oNgo qjhG6+Bi9ubXekbFeH1DoN+wtKlpDyS5WtZTiFeo768iRq5ykyl/AiIGgkMfKBkCJUo9 9G12hnuWit05YrH8gC5GapCMPWrA35gmd8C8ylXDNE0PAbRUXwS9l3TmSQbLK6ggun7O yGoU0zxD7Kfb8nlnhAch3MXTC91g9eryh75a39dfmQu9LbV2dQW+0TDRR6Wothd74Ggd FY5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:delivered-to:arc-authentication-results; bh=9QSEB7ZEkeFGBOEW/1Ab1XEp2YlQtLKfMX7y/Te3jtA=; b=IqaEXssDuewLzaeNpTqls+e2kX3Nt79ieKl3tUeI4czy4AfzSRW6knQNaBvDGb1O4y Tb7el1uVGV9MPYIP1haQcGYWyC3zo2LD7I7zMjOi7IAUoICXERBlBsjT0rRGmdDJEsVl 2fEcCil/t8/tljhMJXFoBxd6SXWerh4elXf3t7U6k4LXKL5+ENJvJ6Wns7yH+mx0CqaF 1NQJEUVjSNqkl+V4DsqokxD1pZB5qPVl9MuCbW4++2bIuZmoS4MFsBe65Sphok3Zqi7N cMGHJo/kH5Ansjv64ne6tvBUNhBI7bp6GXqnaYElF3KMG8mS1RJB8YuRVMd7qt7Pdq3O GCCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=DzmDWzkI; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 60-v6si3361766wrd.68.2018.04.19.15.05.08; Thu, 19 Apr 2018 15:05:09 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com header.s=20161025 header.b=DzmDWzkI; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D5AAC689FC8; Fri, 20 Apr 2018 01:04:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B27AF680AD3 for ; Fri, 20 Apr 2018 01:04:31 +0300 (EEST) Received: by mail-lf0-f51.google.com with SMTP id b23-v6so2354370lfg.4 for ; Thu, 19 Apr 2018 15:04:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=IPdpr+G/7qGulbtM+SABP2LSbLK61ci+T3Q3KJhiur0=; b=DzmDWzkIzsj4fizKW7dgeZwmVtgXOnfKLIeiVZ9COZ2w1kMfVUTCAa48TFNF3ZXy2n yBkGAppO0Ci2Iy2F6Re8KFiROI6/MQyXs2QtUPr90CDGmO53qYwXIZh7uQBznvoqRQG1 3+Ax9BDpYWLESFSo2R6WRaaG5XMRxfoAqhvOfCa/o9OE6NOSrjBOu40kCESA9l+t+X5L OtPVNH//2O1VlptiuSKVsUB4iq8E2GvkFdgb6pYjpCrTdU4/tJnpyuzWw/ioy+7sv3/n WLLjVNabVmm9Lv+CCuaYIdLeOORz0LF3q2cUY+MGSLYi2lfpVyeKFQaLpUpxxPm9QtVB SWNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=IPdpr+G/7qGulbtM+SABP2LSbLK61ci+T3Q3KJhiur0=; b=bpQv2QHUycn0dgx0u7fZMRP4L+RH2y1j1SVWh6BmXE9S8DN1/0Ix3Mrnc5ckuijItk ZdSnqEwplLASfWeFDZYYKh6vuqUfEfxOkTwXg4FQ2/FEF88+GY9uh7q88PDdA6G5caeo A4Cv5Jy2fg6cAVXOgybbKXmqFnbuNpWYcAlQtGJMurflQ246Aa3LW+roTScFgveDlptL ofLhwMZgHKnQtoRR2122LLGOoSakVAiUQMknFJAvIE+HAw57YRrXOGz+08tEUX1q4hba qPXDnjk60De8f0p/MKgk23DhRU1hTsu97H43+jIkACMlQiVxP10NfdhRxNIkfIuS1zSi V36A== X-Gm-Message-State: ALQs6tDcRi9a9WMHLVB++NKP5lqjCrDhhepXv37bBKKaz3NEaGpM/qH3 KYu4atKuKQhHzDM3Uodj/WaKWXZHVQ2y8zMysJzT5Ogp X-Received: by 2002:a19:159c:: with SMTP id 28-v6mr1096555lfv.139.1524175498385; Thu, 19 Apr 2018 15:04:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.46.68.7 with HTTP; Thu, 19 Apr 2018 15:04:57 -0700 (PDT) In-Reply-To: <20180419090753.GK20131@michaelspb> References: <20180105194928.104085-1-modmaker@google.com> <20180105194928.104085-2-modmaker@google.com> <20180419090753.GK20131@michaelspb> From: Jacob Trimble Date: Thu, 19 Apr 2018 15:04:57 -0700 Message-ID: To: FFmpeg development discussions and patches Subject: Re: [FFmpeg-devel] [PATCH 2/3] avformat/mov: Fix parsing of saio/siaz atoms in encrypted content. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On Thu, Apr 19, 2018 at 2:07 AM, Michael Niedermayer wrote: > On Tue, Jan 09, 2018 at 10:27:28AM -0800, Jacob Trimble wrote: >> On Mon, Jan 8, 2018 at 5:39 PM, Carl Eugen Hoyos wrote: >> > 2018-01-08 23:34 GMT+01:00 Jacob Trimble : >> >> On Fri, Jan 5, 2018 at 3:41 PM, Carl Eugen Hoyos wrote: >> >>> 2018-01-05 23:58 GMT+01:00 Jacob Trimble : >> >>>> On Fri, Jan 5, 2018 at 2:01 PM, Carl Eugen Hoyos wrote: >> >>>>> 2018-01-05 22:29 GMT+01:00 Jacob Trimble : >> >>>>>> On Fri, Jan 5, 2018 at 12:41 PM, Carl Eugen Hoyos wrote: >> >>>>>>> 2018-01-05 20:49 GMT+01:00 Jacob Trimble : >> >>>>>>> >> >>>>>>>> + entry_count = avio_rb32(pb); >> >>>>>>>> + encryption_index->auxiliary_offsets = av_malloc_array(sizeof(size_t), entry_count); >> >>>>>>> >> >>>>>>> (sizeof(variable) instead of sizeof(type), please.) >> >>>>>>> >> >>>>>>> But since this could be used for a dos attack, please change this >> >>>>>>> to something similar to 1112ba01. >> >>>>>>> If it is easy to avoid it, very short files should not allocate >> >>>>>>> gigabytes. >> >>>>>> >> >>>>>> Switched to calculating the size based on the number of remaining >> >>>>>> bytes and returning an error if it doesn't match what is read. >> >>>>> >> >>>>> Sorry if I miss something: >> >>>>> >> >>>>>> + entry_count = (atom.size - 8 - (has_saio_type ? 8 : 0)) / (version == 0 ? 4 : 8); >> >>>>>> + if (avio_rb32(pb) != entry_count) { >> >>>>>> + av_log(c->fc, AV_LOG_ERROR, "incorrect entry_count in saio\n"); >> >>>>>> + return AVERROR_INVALIDDATA; >> >>>>>> + } >> >>>>>> + encryption_index->auxiliary_offsets = >> >>>>>> + av_malloc_array(sizeof(*encryption_index->auxiliary_offsets), entry_count); >> >>>>> >> >>>>> Does this avoid a 1G allocation for a file of a few bytes? >> >>>>> >> >>>>> Didn't you simply increase the number of needed bytes to change in a valid >> >>>>> mov file to behave maliciously from one to two? >> >>>> >> >>>> From what I can tell, the mov_read_default method (which is what reads >> >>>> child atoms) will verify "atom.size" to fit inside the parent atom. >> >>>> This means that for "atom.size" to be excessively large for the file >> >>>> size, the input would need to be non-seekable (since I think the >> >>>> top-level atom uses the file size) and all the atoms would need to >> >>>> have invalid sizes. >> >>> >> >>> (I did not check this but I am not convinced the sample I fixed last >> >>> week is so sophisticated.) >> >>> >> >>>> But technically I guess it is possible. >> >>> >> >>> Thank you. >> >>> >> >>>> But this is basically malloc some number of bytes then read that many >> >>>> bytes. The only alternative I can think of (in the face of >> >>>> non-seekable inputs) is to try-read in chunks until we hit EOF or the >> >>>> end of the expected size. This seems like a lot of extra work that is >> >>> >> >>>> not mirrored elsewhere. >> >>> >> >>> On the contrary. >> >>> >> >>> But you are right, I forgot to write that you have to add an "if (!eof)" >> >>> to the reading loops, see the function that above commit changed. >> >>> >> >>>> There are several cases where this isn't explicitly checked. >> >>> >> >>> Yes, and they will be fixed, please don't add another one. >> >>> >> >>>> Also, how does this attack work? If the number is way too big, well >> >>>> get EOM and error out. >> >>> >> >>> Which not only causes dos but also makes checking for other (if you >> >>> like: more dangerous) issues more difficult which is bad. We already >> >>> know that there are cases where the issue is hard to avoid, I believe >> >>> this is not such a case. >> >>> >> >>> It is possible to create (valid) samples that allocate a huge amount >> >>> of memory but very small files should not immediately allocate an >> >>> amount of several G. >> >> >> >> Done. >> > >> > + entry_count = avio_rb32(pb); >> > >> > This has to be checked for later overflow, same in other spots. >> >> Done >> >> > >> > + encryption_index->auxiliary_offsets = >> > + av_malloc_array(sizeof(*encryption_index->auxiliary_offsets), >> > entry_count); >> > >> > I believe you forgot to remove these two lines. >> >> Yep, done. >> >> > >> > Note that I chose "1024*1024" arbitrarily to avoid a speed-loss for >> > (most likely) all valid files when fixing the dos in 1112ba01. >> > I don't know what a good lower limit for your use-case can be, or >> > if only using av_fast_realloc() - without the high starting value - >> > makes sense. >> >> Ok, for the saio atoms, it will likely be small (changed it to 1024) >> since it will either be the number of tenc atoms or the number of >> chunks or 1. Later code actually only supports one offset, but I >> didn't want to hard-code that requirement here. >> >> > >> > Carl Eugen >> > _______________________________________________ >> > ffmpeg-devel mailing list >> > ffmpeg-devel@ffmpeg.org >> > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > >> isom.h | 6 + >> mov.c | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> 2 files changed, 243 insertions(+) >> 0c952e937ee35e8f95d1183047dd8d4f4bb1a7a2 0002-avformat-mov-Fix-parsing-of-saio-v4.patch >> From 76c6870513481c14c5c134f1b8e7e9a91e17e6b5 Mon Sep 17 00:00:00 2001 >> From: Jacob Trimble >> Date: Wed, 6 Dec 2017 16:17:54 -0800 >> Subject: [PATCH 2/3] avformat/mov: Fix parsing of saio/siaz atoms in encrypted >> content. >> >> This doesn't support saio atoms with more than one offset. >> >> Signed-off-by: Jacob Trimble > > Seems not to apply: > > Applying: avformat/mov: Fix parsing of saio/siaz atoms in encrypted content. > error: sha1 information is lacking or useless (libavformat/isom.h). > error: could not build fake ancestor > Patch failed at 0001 avformat/mov: Fix parsing of saio/siaz atoms in encrypted content. > Use 'git am --show-current-patch' to see the failed patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > I have never used |git am| before, but I am able to apply it fine using patch: patch -i 0002*.patch -p1 --no-backup-if-mismatch Maybe you tried to apply without the "remove old encryption info methods" patch (which was part of the previous email)? I can apply it against the current master just fine. Here is a version against the latest master in case there was some hash problems. > [...] > > thanks > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > During times of universal deceit, telling the truth becomes a > revolutionary act. -- George Orwell > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > From 51680480e36f65dd6c588cf01519df1c397f0d56 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Wed, 6 Dec 2017 16:17:54 -0800 Subject: [PATCH] avformat/mov: Fix parsing of saio/siaz atoms in encrypted content. This doesn't support saio atoms with more than one offset. Signed-off-by: Jacob Trimble --- libavformat/isom.h | 6 ++ libavformat/mov.c | 237 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 243 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index 4245d37767..fb361125c9 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -114,6 +114,12 @@ typedef struct MOVEncryptionIndex { // settings will be used. unsigned int nb_encrypted_samples; AVEncryptionInfo **encrypted_samples; + + uint8_t* auxiliary_info_sizes; + size_t auxiliary_info_sample_count; + uint8_t auxiliary_info_default_size; + size_t* auxiliary_offsets; ///< Absolute seek position + size_t auxiliary_offsets_count; } MOVEncryptionIndex; typedef struct MOVFragmentStreamInfo { diff --git a/libavformat/mov.c b/libavformat/mov.c index 45d8e1dce7..8fea6700c3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5912,6 +5912,228 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; } +static int mov_parse_auxiliary_info(MOVContext *c, MOVStreamContext *sc, AVIOContext *pb, MOVEncryptionIndex *encryption_index) +{ + AVEncryptionInfo **sample, **encrypted_samples; + int64_t prev_pos; + size_t sample_count, sample_info_size, i; + int ret = 0; + unsigned int alloc_size = 0; + + if (encryption_index->nb_encrypted_samples) + return 0; + sample_count = encryption_index->auxiliary_info_sample_count; + if (encryption_index->auxiliary_offsets_count != 1) { + av_log(c->fc, AV_LOG_ERROR, "Multiple auxiliary info chunks are not supported\n"); + return AVERROR_PATCHWELCOME; + } + if (sample_count >= INT_MAX / sizeof(*encrypted_samples)) + return AVERROR(ENOMEM); + + prev_pos = avio_tell(pb); + if (!(pb->seekable & AVIO_SEEKABLE_NORMAL) || + avio_seek(pb, encryption_index->auxiliary_offsets[0], SEEK_SET) != encryption_index->auxiliary_offsets[0]) { + av_log(c->fc, AV_LOG_INFO, "Failed to seek for auxiliary info, will only parse senc atoms for encryption info\n"); + goto finish; + } + + for (i = 0; i < sample_count && !pb->eof_reached; i++) { + unsigned int min_samples = FFMIN(FFMAX(i, 1024 * 1024), sample_count); + encrypted_samples = av_fast_realloc(encryption_index->encrypted_samples, &alloc_size, + min_samples * sizeof(*encrypted_samples)); + if (!encrypted_samples) { + ret = AVERROR(ENOMEM); + goto finish; + } + encryption_index->encrypted_samples = encrypted_samples; + + sample = &encryption_index->encrypted_samples[i]; + sample_info_size = encryption_index->auxiliary_info_default_size + ? encryption_index->auxiliary_info_default_size + : encryption_index->auxiliary_info_sizes[i]; + + ret = mov_read_sample_encryption_info(c, pb, sc, sample, sample_info_size > sc->cenc.per_sample_iv_size); + if (ret < 0) + goto finish; + } + if (pb->eof_reached) { + av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading auxiliary info\n"); + ret = AVERROR_INVALIDDATA; + } else { + encryption_index->nb_encrypted_samples = sample_count; + } + +finish: + avio_seek(pb, prev_pos, SEEK_SET); + if (ret < 0) { + for (; i > 0; i--) { + av_encryption_info_free(encryption_index->encrypted_samples[i - 1]); + } + av_freep(&encryption_index->encrypted_samples); + } + return ret; +} + +/** + * Tries to read the given number of bytes from the stream and puts it in a + * newly allocated buffer. This reads in small chunks to avoid allocating large + * memory if the file contains an invalid/malicious size value. + */ +static int mov_try_read_block(AVIOContext *pb, size_t size, uint8_t **data) +{ + const unsigned int block_size = 1024 * 1024; + uint8_t *buffer = NULL; + unsigned int alloc_size = 0, offset = 0; + while (offset < size) { + unsigned int new_size = + alloc_size >= INT_MAX - block_size ? INT_MAX : alloc_size + block_size; + uint8_t *new_buffer = av_fast_realloc(buffer, &alloc_size, new_size); + unsigned int to_read = FFMIN(size, alloc_size) - offset; + if (!new_buffer) { + av_free(buffer); + return AVERROR(ENOMEM); + } + buffer = new_buffer; + + if (avio_read(pb, buffer + offset, to_read) != to_read) { + av_free(buffer); + return AVERROR_INVALIDDATA; + } + offset += to_read; + } + + *data = buffer; + return 0; +} + +static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + MOVEncryptionIndex *encryption_index; + MOVStreamContext *sc; + int ret; + unsigned int sample_count; + + ret = get_current_encryption_info(c, &encryption_index, &sc); + if (ret != 1) + return ret; + + if (encryption_index->nb_encrypted_samples) { + // This can happen if we have both saio/saiz and senc atoms. + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate encryption info in saiz\n"); + return 0; + } + + if (encryption_index->auxiliary_info_sample_count) { + av_log(c->fc, AV_LOG_ERROR, "Duplicate saiz atom\n"); + return AVERROR_INVALIDDATA; + } + + avio_r8(pb); /* version */ + if (avio_rb24(pb) & 0x01) { /* flags */ + if (avio_rb32(pb) != sc->cenc.default_encrypted_sample->scheme) { + av_log(c->fc, AV_LOG_DEBUG, "Ignoring saiz box with non-zero aux_info_type\n"); + return 0; + } + if (avio_rb32(pb) != 0) { + av_log(c->fc, AV_LOG_DEBUG, "Ignoring saiz box with non-zero aux_info_type_parameter\n"); + return 0; + } + } + + encryption_index->auxiliary_info_default_size = avio_r8(pb); + sample_count = avio_rb32(pb); + encryption_index->auxiliary_info_sample_count = sample_count; + + if (encryption_index->auxiliary_info_default_size == 0) { + ret = mov_try_read_block(pb, sample_count, &encryption_index->auxiliary_info_sizes); + if (ret < 0) { + av_log(c->fc, AV_LOG_ERROR, "Failed to read the auxiliary info\n"); + return ret; + } + } + + if (encryption_index->auxiliary_offsets_count) { + return mov_parse_auxiliary_info(c, sc, pb, encryption_index); + } + + return 0; +} + +static int mov_read_saio(MOVContext *c, AVIOContext *pb, MOVAtom atom) +{ + uint64_t *auxiliary_offsets; + MOVEncryptionIndex *encryption_index; + MOVStreamContext *sc; + int i, ret; + unsigned int version, entry_count, alloc_size = 0; + + ret = get_current_encryption_info(c, &encryption_index, &sc); + if (ret != 1) + return ret; + + if (encryption_index->nb_encrypted_samples) { + // This can happen if we have both saio/saiz and senc atoms. + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate encryption info in saio\n"); + return 0; + } + + if (encryption_index->auxiliary_offsets_count) { + av_log(c->fc, AV_LOG_ERROR, "Duplicate saio atom\n"); + return AVERROR_INVALIDDATA; + } + + version = avio_r8(pb); /* version */ + if (avio_rb24(pb) & 0x01) { /* flags */ + if (avio_rb32(pb) != sc->cenc.default_encrypted_sample->scheme) { + av_log(c->fc, AV_LOG_DEBUG, "Ignoring saio box with non-zero aux_info_type\n"); + return 0; + } + if (avio_rb32(pb) != 0) { + av_log(c->fc, AV_LOG_DEBUG, "Ignoring saio box with non-zero aux_info_type_parameter\n"); + return 0; + } + } + + entry_count = avio_rb32(pb); + if (entry_count >= INT_MAX / sizeof(*auxiliary_offsets)) + return AVERROR(ENOMEM); + + for (i = 0; i < entry_count && !pb->eof_reached; i++) { + unsigned int min_offsets = FFMIN(FFMAX(i, 1024), entry_count); + auxiliary_offsets = av_fast_realloc( + encryption_index->auxiliary_offsets, &alloc_size, + min_offsets * sizeof(*auxiliary_offsets)); + if (!auxiliary_offsets) { + av_freep(&encryption_index->auxiliary_offsets); + return AVERROR(ENOMEM); + } + encryption_index->auxiliary_offsets = auxiliary_offsets; + + if (version == 0) { + encryption_index->auxiliary_offsets[i] = avio_rb32(pb); + } else { + encryption_index->auxiliary_offsets[i] = avio_rb64(pb); + } + if (c->frag_index.current >= 0) { + encryption_index->auxiliary_offsets[i] += c->fragment.base_data_offset; + } + } + + if (pb->eof_reached) { + av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading saio\n"); + av_freep(&encryption_index->auxiliary_offsets); + return AVERROR_INVALIDDATA; + } + + encryption_index->auxiliary_offsets_count = entry_count; + + if (encryption_index->auxiliary_info_sample_count) { + return mov_parse_auxiliary_info(c, sc, pb, encryption_index); + } + + return 0; +} + static int mov_read_schm(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; @@ -6127,6 +6349,17 @@ static int cenc_filter(MOVContext *mov, MOVStreamContext *sc, AVPacket *pkt, int } if (encryption_index) { + if (encryption_index->auxiliary_info_sample_count && + !encryption_index->nb_encrypted_samples) { + av_log(mov->fc, AV_LOG_ERROR, "saiz atom found without saio\n"); + return AVERROR_INVALIDDATA; + } + if (encryption_index->auxiliary_offsets_count && + !encryption_index->nb_encrypted_samples) { + av_log(mov->fc, AV_LOG_ERROR, "saio atom found without saiz\n"); + return AVERROR_INVALIDDATA; + } + if (!encryption_index->nb_encrypted_samples) { // Full-sample encryption with default settings. encrypted_sample = sc->cenc.default_encrypted_sample; @@ -6271,6 +6504,8 @@ static const MOVParseTableEntry mov_default_parse_table[] = { { MKTAG('s','i','n','f'), mov_read_default }, { MKTAG('f','r','m','a'), mov_read_frma }, { MKTAG('s','e','n','c'), mov_read_senc }, +{ MKTAG('s','a','i','z'), mov_read_saiz }, +{ MKTAG('s','a','i','o'), mov_read_saio }, { MKTAG('s','c','h','m'), mov_read_schm }, { MKTAG('s','c','h','i'), mov_read_default }, { MKTAG('t','e','n','c'), mov_read_tenc }, @@ -6666,6 +6901,8 @@ static void mov_free_encryption_index(MOVEncryptionIndex **index) { av_encryption_info_free((*index)->encrypted_samples[i]); } av_freep(&(*index)->encrypted_samples); + av_freep(&(*index)->auxiliary_info_sizes); + av_freep(&(*index)->auxiliary_offsets); av_freep(index); } -- 2.17.0.484.g0c8726318c-goog