From b98a824c3e97a2e40eb9fd5daa64001ecd4b7f5a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Apr 2013 21:07:09 +0200 Subject: [PATCH 1/4] oma: check geob tag boundary Prevent read after buffer boundary on corrupted tag. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9d0b45ade864f3d2ccd8610149fe1fff53c4e937) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 42272480f9..860b876b8c 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -113,13 +113,18 @@ static int kset(AVFormatContext *s, const uint8_t *r_val, const uint8_t *n_val, return 0; } -static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) +#define OMA_RPROBE_M_VAL 48 + 1 + +static int rprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, + const uint8_t *r_val) { OMAContext *oc = s->priv_data; unsigned int pos; struct AVDES av_des; - if (!enc_header || !r_val) + if (!enc_header || !r_val || + size < OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size || + size < OMA_RPROBE_M_VAL) return -1; /* m_val */ @@ -140,19 +145,25 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0; } -static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val) +static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, + const uint8_t *n_val) { OMAContext *oc = s->priv_data; - uint32_t pos, taglen, datalen; + uint64_t pos; + uint32_t taglen, datalen; struct AVDES av_des; - if (!enc_header || !n_val) + if (!enc_header || !n_val || + size < OMA_ENC_HEADER_SIZE + oc->k_size + 4) return -1; pos = OMA_ENC_HEADER_SIZE + oc->k_size; if (!memcmp(&enc_header[pos], "EKB ", 4)) pos += 32; + if (size < pos + 44) + return -1; + if (AV_RB32(&enc_header[pos]) != oc->rid) av_log(s, AV_LOG_DEBUG, "Mismatching RID\n"); @@ -161,11 +172,14 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val) pos += 44 + taglen; + if (datalen << 4 > size - pos) + return -1; + av_des_init(&av_des, n_val, 192, 1); while (datalen-- > 0) { av_des_crypt(&av_des, oc->r_val, &enc_header[pos], 2, NULL, 1); kset(s, oc->r_val, NULL, 16); - if (!rprobe(s, enc_header, oc->r_val)) + if (!rprobe(s, enc_header, size, oc->r_val)) return 0; pos += 16; } @@ -228,15 +242,16 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) kset(s, s->key, s->key, s->keylen); } if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) || - rprobe(s, gdata, oc->r_val) < 0 && - nprobe(s, gdata, oc->n_val) < 0) { + rprobe(s, gdata, geob->datasize, oc->r_val) < 0 && + nprobe(s, gdata, geob->datasize, oc->n_val) < 0) { int i; for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) { uint8_t buf[16]; AV_WL64(buf, leaf_table[i]); AV_WL64(&buf[8], leaf_table[i+1]); kset(s, buf, buf, 16); - if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, oc->n_val)) + if (!rprobe(s, gdata, geob->datasize, oc->r_val) || + !nprobe(s, gdata, geob->datasize, oc->n_val)) break; } if (i >= sizeof(leaf_table)) { From 3cc05e0d9d24d0d6f2fdb1d49ec6b6d298816dae Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Apr 2013 21:19:23 +0200 Subject: [PATCH 2/4] oma: correctly mark and decrypt partial packets Incomplete crypted files would lead to a read after buffer boundary otherwise. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2219e27b5b17d146e4ab71a3ed86dfc013fb7a93) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 860b876b8c..9e8b43b3c5 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -392,14 +392,22 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) int packet_size = s->streams[0]->codec->block_align; int ret = av_get_packet(s->pb, pkt, packet_size); + if (ret < packet_size) + pkt->flags |= AV_PKT_FLAG_CORRUPT; + if (ret <= 0) return AVERROR(EIO); pkt->stream_index = 0; if (oc->encrypted) { - /* previous unencrypted block saved in IV for the next packet (CBC mode) */ - av_des_crypt(&oc->av_des, pkt->data, pkt->data, (packet_size >> 3), oc->iv, 1); + /* previous unencrypted block saved in IV for + * the next packet (CBC mode) */ + if (ret == packet_size) + av_des_crypt(&oc->av_des, pkt->data, pkt->data, + (packet_size >> 3), oc->iv, 1); + else + memset(oc->iv, 0, 8); } return ret; From cda26ab21eb574e7e39b0a329941d87754b8c477 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 12 Aug 2013 00:16:12 +0200 Subject: [PATCH 3/4] nuv: Do not ignore lzo decompression failures Update the fate reference since the last broken frame is not decoded anymore. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aae159a7cc4df7d0521901022b778c9da251c24e) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 4 +++- tests/ref/fate/nuv | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 519b550bcd..b4e21bf0dd 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -177,8 +177,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { int outlen = c->decomp_size, inlen = buf_size; - if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) + if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); + return AVERROR_INVALIDDATA; + } buf = c->decomp_buf; buf_size = c->decomp_size; } diff --git a/tests/ref/fate/nuv b/tests/ref/fate/nuv index f1fcae3883..c43c09cf85 100644 --- a/tests/ref/fate/nuv +++ b/tests/ref/fate/nuv @@ -18,7 +18,6 @@ 1, 20898, 4096, 0x28f7c6e5 0, 21021, 460800, 0x4b7f4df0 1, 22988, 4096, 0xca9d9df2 -0, 24024, 460800, 0xb30eb322 1, 25078, 4096, 0x5c6b95a9 1, 27167, 4096, 0x0bdfc0bf 1, 29257, 4096, 0xd95a9277 From 36fc320747a768335ae4538a24a5739033b7eb74 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 12 Aug 2013 11:34:06 +0200 Subject: [PATCH 4/4] nuv: Pad the lzo outbuf And properly update the buf_size with the correct size. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 075dbc185521f193c98b896cd63be3ec2613df5d) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index b4e21bf0dd..459fd27df3 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -116,7 +116,8 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int qualit return 0; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2); + av_fast_malloc(&c->decomp_buf, &c->decomp_size, c->height * c->width * 3 / 2 + + FF_INPUT_BUFFER_PADDING_SIZE); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); return 0; @@ -176,13 +177,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, buf = &buf[12]; buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { - int outlen = c->decomp_size, inlen = buf_size; + int outlen = c->decomp_size - FF_INPUT_BUFFER_PADDING_SIZE; + int inlen = buf_size; if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } buf = c->decomp_buf; - buf_size = c->decomp_size; + buf_size = outlen; } if (c->codec_frameheader) { int w, h, q;