virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-02-09 14:14:39 +02:00
Code Issues Releases Activity

avformat/mov: fix possible crash in cenc_scheme_decrypt

Browse Source 
Data does not have to be decrypted in 16-byte blocks for AES-CTR mode, so
existing buggy code can be hugely simplified.

Fixes ticket #9829.

Signed-off-by: Marton Balint <cus@passwd.hu>
This commit is contained in:
ShuangxiLi 2022-07-02 15:40:57 +08:00 committed by Marton Balint
parent 9222965fdd
commit 046b05082d
1 changed files with 2 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
libavformat/mov.c
View File

@ -6824,9 +6824,6 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption
{ {
int i, ret; int i, ret;
int bytes_of_protected_data; int bytes_of_protected_data;
int partially_encrypted_block_size;
uint8_t *partially_encrypted_block;
uint8_t block[16];
if (!sc->cenc.aes_ctr) { if (!sc->cenc.aes_ctr) {
/* initialize the cipher */ /* initialize the cipher */
@ -6849,8 +6846,6 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption
return 0; return 0;
} }
partially_encrypted_block_size = 0;
for (i = 0; i < sample->subsample_count; i++) { for (i = 0; i < sample->subsample_count; i++) {
if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) {
av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n");
@ -6863,28 +6858,8 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption
/* decrypt the encrypted bytes */ /* decrypt the encrypted bytes */
if (partially_encrypted_block_size) { bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data;
memcpy(block, partially_encrypted_block, partially_encrypted_block_size); av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, bytes_of_protected_data);
memcpy(block+partially_encrypted_block_size, input, 16-partially_encrypted_block_size);
av_aes_ctr_crypt(sc->cenc.aes_ctr, block, block, 16);
memcpy(partially_encrypted_block, block, partially_encrypted_block_size);
memcpy(input, block+partially_encrypted_block_size, 16-partially_encrypted_block_size);
input += 16-partially_encrypted_block_size;
size -= 16-partially_encrypted_block_size;
bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data - (16-partially_encrypted_block_size);
} else {
bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data;
}
if (i < sample->subsample_count-1) {
int num_of_encrypted_blocks = bytes_of_protected_data/16;
partially_encrypted_block_size = bytes_of_protected_data%16;
if (partially_encrypted_block_size)
partially_encrypted_block = input + 16*num_of_encrypted_blocks;
av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, 16*num_of_encrypted_blocks);
} else {
av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, bytes_of_protected_data);
}
input += bytes_of_protected_data; input += bytes_of_protected_data;
size -= bytes_of_protected_data; size -= bytes_of_protected_data;