From 409d1cd2c955485798f8b0b0147c2b899b9144ec Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Aug 2016 10:18:39 +0200 Subject: [PATCH] cook: use the bytestream2 API for reading extradata Fixes possible invalid reads in corrupted files. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/cook.c | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index f487db6a97..016b1d01bb 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1041,9 +1041,7 @@ static void dump_cook_context(COOKContext *q) static av_cold int cook_decode_init(AVCodecContext *avctx) { COOKContext *q = avctx->priv_data; - const uint8_t *edata_ptr = avctx->extradata; - const uint8_t *edata_ptr_end = edata_ptr + avctx->extradata_size; - int extradata_size = avctx->extradata_size; + GetByteContext gb; int s = 0; unsigned int channel_mask = 0; int samples_per_frame; @@ -1051,12 +1049,14 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->avctx = avctx; /* Take care of the codec specific extradata. */ - if (extradata_size < 8) { + if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Necessary extradata missing!\n"); return AVERROR_INVALIDDATA; } av_log(avctx, AV_LOG_DEBUG, "codecdata_length=%d\n", avctx->extradata_size); + bytestream2_init(&gb, avctx->extradata, avctx->extradata_size); + /* Take data from the AVCodecContext (RM container). */ if (!avctx->channels) { av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n"); @@ -1068,21 +1068,15 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) ff_audiodsp_init(&q->adsp); - while (edata_ptr < edata_ptr_end) { + while (bytestream2_get_bytes_left(&gb)) { /* 8 for mono, 16 for stereo, ? for multichannel Swap to right endianness so we don't need to care later on. */ - if (extradata_size >= 8) { - q->subpacket[s].cookversion = bytestream_get_be32(&edata_ptr); - samples_per_frame = bytestream_get_be16(&edata_ptr); - q->subpacket[s].subbands = bytestream_get_be16(&edata_ptr); - extradata_size -= 8; - } - if (extradata_size >= 8) { - bytestream_get_be32(&edata_ptr); // Unknown unused - q->subpacket[s].js_subband_start = bytestream_get_be16(&edata_ptr); - q->subpacket[s].js_vlc_bits = bytestream_get_be16(&edata_ptr); - extradata_size -= 8; - } + q->subpacket[s].cookversion = bytestream2_get_be32(&gb); + samples_per_frame = bytestream2_get_be16(&gb); + q->subpacket[s].subbands = bytestream2_get_be16(&gb); + bytestream2_get_be32(&gb); // Unknown unused + q->subpacket[s].js_subband_start = bytestream2_get_be16(&gb); + q->subpacket[s].js_vlc_bits = bytestream2_get_be16(&gb); /* Initialize extradata related variables. */ q->subpacket[s].samples_per_channel = samples_per_frame / avctx->channels; @@ -1134,8 +1128,7 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) break; case MC_COOK: av_log(avctx, AV_LOG_DEBUG, "MULTI_CHANNEL\n"); - if (extradata_size >= 4) - channel_mask |= q->subpacket[s].channel_mask = bytestream_get_be32(&edata_ptr); + channel_mask |= q->subpacket[s].channel_mask = bytestream2_get_be32(&gb); if (av_get_channel_layout_nb_channels(q->subpacket[s].channel_mask) > 1) { q->subpacket[s].total_subbands = q->subpacket[s].subbands +