From patchwork Fri Oct 2 05:53:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: liushuyu@aosc.io X-Patchwork-Id: 22680 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id DAA8844BA68 for ; Fri, 2 Oct 2020 08:54:19 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A2694689D06; Fri, 2 Oct 2020 08:54:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4.mymailcheap.com (relay4.mymailcheap.com [137.74.80.156]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E3296688104 for ; Fri, 2 Oct 2020 08:54:12 +0300 (EEST) Received: from filter2.mymailcheap.com (filter2.mymailcheap.com [91.134.140.82]) by relay4.mymailcheap.com (Postfix) with ESMTPS id E53483F162 for ; Fri, 2 Oct 2020 07:54:11 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by filter2.mymailcheap.com (Postfix) with ESMTP id B5F882A913 for ; Fri, 2 Oct 2020 07:54:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mymailcheap.com; s=default; t=1601618051; bh=JATfC8zJF2pY1H/k1vaMbAdleXSWI5kVYurap8f3zKU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qJ7idHdcP/ISisdSHo3NlX2e0qZSu/KsNp6QJBrWc81nPnqB/ptV8/UjLQkxbJ1Q/ CKioLj+ylaVRPghYJHAzbP2Ycih4fnYVZVUx/0YporXia6kRGv6h0k7M2wNsKXfKAu pSum0Y0wjlNFE+YE8Xohrm9/0NR+0X0B5i7Qa1U8= X-Virus-Scanned: Debian amavisd-new at filter2.mymailcheap.com Received: from filter2.mymailcheap.com ([127.0.0.1]) by localhost (filter2.mymailcheap.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9RC95nBWLxg for ; Fri, 2 Oct 2020 07:54:10 +0200 (CEST) Received: from mail20.mymailcheap.com (mail20.mymailcheap.com [51.83.111.147]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by filter2.mymailcheap.com (Postfix) with ESMTPS for ; Fri, 2 Oct 2020 07:54:10 +0200 (CEST) Received: from [213.133.102.83] (ml.mymailcheap.com [213.133.102.83]) by mail20.mymailcheap.com (Postfix) with ESMTP id 6022D41CBA; Fri, 2 Oct 2020 05:54:10 +0000 (UTC) Authentication-Results: mail20.mymailcheap.com; dkim=pass (1024-bit key; unprotected) header.d=aosc.io header.i=@aosc.io header.b="jZNLhC3Q"; dkim-atps=neutral AI-Spam-Status: Not processed Received: from liushuyu.lan (d50-99-10-89.abhsia.telus.net [50.99.10.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail20.mymailcheap.com (Postfix) with ESMTPSA id EF0D641CBA; Fri, 2 Oct 2020 05:54:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aosc.io; s=default; t=1601618045; bh=JATfC8zJF2pY1H/k1vaMbAdleXSWI5kVYurap8f3zKU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jZNLhC3QSBj8DMjPeyVRCtq4Y5bJKeGNm1JppRUobxmjrgrsr1C+W9GQWVkFBNh/s fLIPG0Cqeom+yLYDPZtRQgr1wrRTVKojv5D6sha+c+0QCPJGfWVVVrr507Gj5sB10F QccY7gNuy4AVJhiMPYJCAVg+zx7RcVoUExNBuciM= From: liushuyu@aosc.io To: ffmpeg-devel@ffmpeg.org Date: Thu, 1 Oct 2020 23:53:36 -0600 Message-Id: <20201002055336.38476-2-liushuyu@aosc.io> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201002055336.38476-1-liushuyu@aosc.io> References: <20201002055336.38476-1-liushuyu@aosc.io> MIME-Version: 1.0 X-Rspamd-Queue-Id: 6022D41CBA X-Spamd-Result: default: False [4.90 / 20.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(0.00)[aosc.io:s=default]; TO_DN_SOME(0.00)[]; R_MISSING_CHARSET(2.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[aosc.io]; BROKEN_CONTENT_TYPE(1.50)[]; R_SPF_SOFTFAIL(0.00)[~all:c]; ML_SERVERS(-3.10)[213.133.102.83]; DKIM_TRACE(0.00)[aosc.io:+]; RCPT_COUNT_TWO(0.00)[2]; FROM_NO_DN(0.00)[]; MID_CONTAINS_FROM(1.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.133.96.0/19, country:DE]; RCVD_COUNT_TWO(0.00)[2]; HFILTER_HELO_BAREIP(3.00)[213.133.102.83,1] X-Rspamd-Server: mail20.mymailcheap.com Subject: [FFmpeg-devel] [PATCH 1/1] avformat: mca: relax a condition check to be able to play certain files X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: liushuyu Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" From: liushuyu In certain mca files, the coefficient table is in the data section instead of the header section. In this case, the coefficient offset relative to the header ending marker is a negative value thus failing the original condition check at line 146. The new check just check if the coefficient offset is within the file range (since there is no way to know where the actual audio samples are without the correct header information). --- libavformat/mca.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/mca.c b/libavformat/mca.c index 27cfb1c..5bb9a35 100644 --- a/libavformat/mca.c +++ b/libavformat/mca.c @@ -48,9 +48,9 @@ static int read_header(AVFormatContext *s) int64_t file_size = avio_size(s->pb); uint16_t version = 0; uint32_t header_size, data_size, data_offset, loop_start, loop_end, - nb_samples, nb_metadata, coef_offset = 0; + nb_samples, nb_metadata = 0; int ch, ret; - int64_t ret_size; + int64_t ret_size, coef_offset = 0; st = avformat_new_stream(s, NULL); if (!st) @@ -144,10 +144,10 @@ static int read_header(AVFormatContext *s) } // coefficient alignment = 0x30; metadata size = 0x14 - if (0x30 * par->channels + nb_metadata * 0x14 > header_size) - return AVERROR_INVALIDDATA; coef_offset = - header_size - 0x30 * par->channels + nb_metadata * 0x14; + (int64_t)header_size - 0x30 * par->channels + nb_metadata * 0x14; + if (coef_offset < 0 || coef_offset >= file_size) + return AVERROR_INVALIDDATA; st->start_time = 0; par->codec_id = AV_CODEC_ID_ADPCM_THP_LE;