Commit 09d8289c authored by michael's avatar michael

adding a few checks to the audio packet descrambling, this should hopefully...

adding a few checks to the audio packet descrambling, this should hopefully catch all related out of array accesses
note, the original code might have been exploitable


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@7640 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 8b5deec6
...@@ -244,7 +244,8 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) ...@@ -244,7 +244,8 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
// asf_st->ds_data_size, asf_st->ds_span, asf_st->ds_silence_data); // asf_st->ds_data_size, asf_st->ds_span, asf_st->ds_silence_data);
if (asf_st->ds_span > 1) { if (asf_st->ds_span > 1) {
if (!asf_st->ds_chunk_size if (!asf_st->ds_chunk_size
|| (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1)) || (asf_st->ds_packet_size/asf_st->ds_chunk_size <= 1)
|| asf_st->ds_packet_size % asf_st->ds_chunk_size)
asf_st->ds_span = 0; // disable descrambling asf_st->ds_span = 0; // disable descrambling
} }
switch (st->codec->codec_id) { switch (st->codec->codec_id) {
...@@ -702,6 +703,9 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) ...@@ -702,6 +703,9 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
if (asf_st->frag_offset == asf_st->pkt.size) { if (asf_st->frag_offset == asf_st->pkt.size) {
/* return packet */ /* return packet */
if (asf_st->ds_span > 1) { if (asf_st->ds_span > 1) {
if(asf_st->pkt.size != asf_st->ds_packet_size * asf_st->ds_span){
av_log(s, AV_LOG_ERROR, "pkt.size != ds_packet_size * ds_span\n");
}else{
/* packet descrambling */ /* packet descrambling */
uint8_t *newdata = av_malloc(asf_st->pkt.size); uint8_t *newdata = av_malloc(asf_st->pkt.size);
if (newdata) { if (newdata) {
...@@ -712,6 +716,9 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) ...@@ -712,6 +716,9 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
int col = off % asf_st->ds_span; int col = off % asf_st->ds_span;
int idx = row + col * asf_st->ds_packet_size / asf_st->ds_chunk_size; int idx = row + col * asf_st->ds_packet_size / asf_st->ds_chunk_size;
//printf("off:%d row:%d col:%d idx:%d\n", off, row, col, idx); //printf("off:%d row:%d col:%d idx:%d\n", off, row, col, idx);
assert(offset + asf_st->ds_chunk_size <= asf_st->pkt.size);
assert(idx+1 <= asf_st->pkt.size / asf_st->ds_chunk_size);
memcpy(newdata + offset, memcpy(newdata + offset,
asf_st->pkt.data + idx * asf_st->ds_chunk_size, asf_st->pkt.data + idx * asf_st->ds_chunk_size,
asf_st->ds_chunk_size); asf_st->ds_chunk_size);
...@@ -720,6 +727,7 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt) ...@@ -720,6 +727,7 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
av_free(asf_st->pkt.data); av_free(asf_st->pkt.data);
asf_st->pkt.data = newdata; asf_st->pkt.data = newdata;
} }
}
} }
asf_st->frag_offset = 0; asf_st->frag_offset = 0;
*pkt= asf_st->pkt; *pkt= asf_st->pkt;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment