avformat/mov: fix possible crash in cenc_scheme_decrypt

Data does not have to be decrypted in 16-byte blocks for AES-CTR mode, so existing buggy code can be hugely simplified. Fixes ticket #9829. Signed-off-by: Marton Balint <cus@passwd.hu>
2025-02-04 06:08:26 +02:00 · 2022-07-02 15:40:57 +08:00 · 2022-07-02 15:40:57 +08:00 · 046b05082d
commit 046b05082d
parent 9222965fdd
1 changed files with 2 additions and 27 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -6824,9 +6824,6 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption
 {
    int i, ret;
    int bytes_of_protected_data;
-    int partially_encrypted_block_size;
-    uint8_t *partially_encrypted_block;
-    uint8_t block[16];

    if (!sc->cenc.aes_ctr) {
        /* initialize the cipher */
@ -6849,8 +6846,6 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption
        return 0;
    }

-    partially_encrypted_block_size = 0;
-
    for (i = 0; i < sample->subsample_count; i++) {
        if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) {
            av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n");
@ -6863,28 +6858,8 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption

        /* decrypt the encrypted bytes */

-        if (partially_encrypted_block_size) {
-            memcpy(block, partially_encrypted_block, partially_encrypted_block_size);
-            memcpy(block+partially_encrypted_block_size, input, 16-partially_encrypted_block_size);
-            av_aes_ctr_crypt(sc->cenc.aes_ctr, block, block, 16);
-            memcpy(partially_encrypted_block, block, partially_encrypted_block_size);
-            memcpy(input, block+partially_encrypted_block_size, 16-partially_encrypted_block_size);
-            input += 16-partially_encrypted_block_size;
-            size -= 16-partially_encrypted_block_size;
-            bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data - (16-partially_encrypted_block_size);
-        } else {
-            bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data;
-        }
-
-        if (i < sample->subsample_count-1) {
-            int num_of_encrypted_blocks = bytes_of_protected_data/16;
-            partially_encrypted_block_size = bytes_of_protected_data%16;
-            if (partially_encrypted_block_size)
-                partially_encrypted_block = input + 16*num_of_encrypted_blocks;
-            av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, 16*num_of_encrypted_blocks);
-        } else {
-            av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, bytes_of_protected_data);
-        }
+        bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data;
+        av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, bytes_of_protected_data);

        input += bytes_of_protected_data;
        size -= bytes_of_protected_data;