1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-03 05:10:03 +02:00
FFmpeg/libavformat/aadec.c
Michael Niedermayer 59ac418258 avformat/aadec: Check for scanf() failure
Fixes: use of uninitialized variables
Fixes: blank.aa

Found-by: Chamal De Silva <chamal.desilva@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed188f6dcd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-11-14 23:30:37 +01:00

316 lines
11 KiB
C

/*
* Audible AA demuxer
* Copyright (c) 2015 Vesselin Bontchev
*
* Header parsing is borrowed from https://github.com/jteeuwen/audible project.
* Copyright (c) 2001-2014, Jim Teeuwen
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "avformat.h"
#include "internal.h"
#include "libavutil/dict.h"
#include "libavutil/intreadwrite.h"
#include "libavutil/tea.h"
#include "libavutil/opt.h"
#define AA_MAGIC 1469084982 /* this identifies an audible .aa file */
#define MAX_CODEC_SECOND_SIZE 3982
#define MAX_TOC_ENTRIES 16
#define MAX_DICTIONARY_ENTRIES 128
#define TEA_BLOCK_SIZE 8
typedef struct AADemuxContext {
AVClass *class;
uint8_t *aa_fixed_key;
int aa_fixed_key_len;
int codec_second_size;
int current_codec_second_size;
int chapter_idx;
struct AVTEA *tea_ctx;
uint8_t file_key[16];
int64_t current_chapter_size;
} AADemuxContext;
static int get_second_size(char *codec_name)
{
int result = -1;
if (!strcmp(codec_name, "mp332")) {
result = 3982;
} else if (!strcmp(codec_name, "acelp16")) {
result = 2000;
} else if (!strcmp(codec_name, "acelp85")) {
result = 1045;
}
return result;
}
static int aa_read_header(AVFormatContext *s)
{
int i, j, idx, largest_idx = -1;
uint32_t nkey, nval, toc_size, npairs, header_seed = 0, start;
char key[128], val[128], codec_name[64] = {0};
uint8_t output[24], dst[8], src[8];
int64_t largest_size = -1, current_size = -1;
struct toc_entry {
uint32_t offset;
uint32_t size;
} TOC[MAX_TOC_ENTRIES];
uint32_t header_key_part[4];
uint8_t header_key[16] = {0};
AADemuxContext *c = s->priv_data;
AVIOContext *pb = s->pb;
AVStream *st;
int ret;
/* parse .aa header */
avio_skip(pb, 4); // file size
avio_skip(pb, 4); // magic string
toc_size = avio_rb32(pb); // TOC size
avio_skip(pb, 4); // unidentified integer
if (toc_size > MAX_TOC_ENTRIES)
return AVERROR_INVALIDDATA;
for (i = 0; i < toc_size; i++) { // read TOC
avio_skip(pb, 4); // TOC entry index
TOC[i].offset = avio_rb32(pb); // block offset
TOC[i].size = avio_rb32(pb); // block size
}
avio_skip(pb, 24); // header termination block (ignored)
npairs = avio_rb32(pb); // read dictionary entries
if (npairs > MAX_DICTIONARY_ENTRIES)
return AVERROR_INVALIDDATA;
for (i = 0; i < npairs; i++) {
memset(val, 0, sizeof(val));
memset(key, 0, sizeof(key));
avio_skip(pb, 1); // unidentified integer
nkey = avio_rb32(pb); // key string length
nval = avio_rb32(pb); // value string length
avio_get_str(pb, nkey, key, sizeof(key));
avio_get_str(pb, nval, val, sizeof(val));
if (!strcmp(key, "codec")) {
av_log(s, AV_LOG_DEBUG, "Codec is <%s>\n", val);
strncpy(codec_name, val, sizeof(codec_name) - 1);
} else if (!strcmp(key, "HeaderSeed")) {
av_log(s, AV_LOG_DEBUG, "HeaderSeed is <%s>\n", val);
header_seed = atoi(val);
} else if (!strcmp(key, "HeaderKey")) { // this looks like "1234567890 1234567890 1234567890 1234567890"
av_log(s, AV_LOG_DEBUG, "HeaderKey is <%s>\n", val);
ret = sscanf(val, "%"SCNu32"%"SCNu32"%"SCNu32"%"SCNu32,
&header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]);
if (ret != 4)
return AVERROR_INVALIDDATA;
for (idx = 0; idx < 4; idx++) {
AV_WB32(&header_key[idx * 4], header_key_part[idx]); // convert each part to BE!
}
av_log(s, AV_LOG_DEBUG, "Processed HeaderKey is ");
for (i = 0; i < 16; i++)
av_log(s, AV_LOG_DEBUG, "%02x", header_key[i]);
av_log(s, AV_LOG_DEBUG, "\n");
} else {
av_dict_set(&s->metadata, key, val, 0);
}
}
/* verify fixed key */
if (c->aa_fixed_key_len != 16) {
av_log(s, AV_LOG_ERROR, "aa_fixed_key value needs to be 16 bytes!\n");
return AVERROR(EINVAL);
}
/* verify codec */
if ((c->codec_second_size = get_second_size(codec_name)) == -1) {
av_log(s, AV_LOG_ERROR, "unknown codec <%s>!\n", codec_name);
return AVERROR(EINVAL);
}
/* decryption key derivation */
c->tea_ctx = av_tea_alloc();
if (!c->tea_ctx)
return AVERROR(ENOMEM);
av_tea_init(c->tea_ctx, c->aa_fixed_key, 16);
output[0] = output[1] = 0; // purely for padding purposes
memcpy(output + 2, header_key, 16);
idx = 0;
for (i = 0; i < 3; i++) { // TEA CBC with weird mixed endianness
AV_WB32(src, header_seed);
AV_WB32(src + 4, header_seed + 1);
header_seed += 2;
av_tea_crypt(c->tea_ctx, dst, src, 1, NULL, 0); // TEA ECB encrypt
for (j = 0; j < TEA_BLOCK_SIZE && idx < 18; j+=1, idx+=1) {
output[idx] = output[idx] ^ dst[j];
}
}
memcpy(c->file_key, output + 2, 16); // skip first 2 bytes of output
av_log(s, AV_LOG_DEBUG, "File key is ");
for (i = 0; i < 16; i++)
av_log(s, AV_LOG_DEBUG, "%02x", c->file_key[i]);
av_log(s, AV_LOG_DEBUG, "\n");
/* decoder setup */
st = avformat_new_stream(s, NULL);
if (!st) {
av_freep(&c->tea_ctx);
return AVERROR(ENOMEM);
}
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
if (!strcmp(codec_name, "mp332")) {
st->codecpar->codec_id = AV_CODEC_ID_MP3;
st->codecpar->sample_rate = 22050;
st->need_parsing = AVSTREAM_PARSE_FULL_RAW;
st->start_time = 0;
} else if (!strcmp(codec_name, "acelp85")) {
st->codecpar->codec_id = AV_CODEC_ID_SIPR;
st->codecpar->block_align = 19;
st->codecpar->channels = 1;
st->codecpar->sample_rate = 8500;
st->need_parsing = AVSTREAM_PARSE_FULL_RAW;
} else if (!strcmp(codec_name, "acelp16")) {
st->codecpar->codec_id = AV_CODEC_ID_SIPR;
st->codecpar->block_align = 20;
st->codecpar->channels = 1;
st->codecpar->sample_rate = 16000;
st->need_parsing = AVSTREAM_PARSE_FULL_RAW;
}
/* determine, and jump to audio start offset */
for (i = 1; i < toc_size; i++) { // skip the first entry!
current_size = TOC[i].size;
if (current_size > largest_size) {
largest_idx = i;
largest_size = current_size;
}
}
start = TOC[largest_idx].offset;
avio_seek(pb, start, SEEK_SET);
c->current_chapter_size = 0;
return 0;
}
static int aa_read_packet(AVFormatContext *s, AVPacket *pkt)
{
uint8_t dst[TEA_BLOCK_SIZE];
uint8_t src[TEA_BLOCK_SIZE];
int i;
int trailing_bytes;
int blocks;
uint8_t buf[MAX_CODEC_SECOND_SIZE * 2];
int written = 0;
int ret;
AADemuxContext *c = s->priv_data;
// are we at the start of a chapter?
if (c->current_chapter_size == 0) {
c->current_chapter_size = avio_rb32(s->pb);
if (c->current_chapter_size == 0) {
return AVERROR_EOF;
}
av_log(s, AV_LOG_DEBUG, "Chapter %d (%" PRId64 " bytes)\n", c->chapter_idx, c->current_chapter_size);
c->chapter_idx = c->chapter_idx + 1;
avio_skip(s->pb, 4); // data start offset
c->current_codec_second_size = c->codec_second_size;
}
// is this the last block in this chapter?
if (c->current_chapter_size / c->current_codec_second_size == 0) {
c->current_codec_second_size = c->current_chapter_size % c->current_codec_second_size;
}
// decrypt c->current_codec_second_size bytes
blocks = c->current_codec_second_size / TEA_BLOCK_SIZE;
for (i = 0; i < blocks; i++) {
avio_read(s->pb, src, TEA_BLOCK_SIZE);
av_tea_init(c->tea_ctx, c->file_key, 16);
av_tea_crypt(c->tea_ctx, dst, src, 1, NULL, 1);
memcpy(buf + written, dst, TEA_BLOCK_SIZE);
written = written + TEA_BLOCK_SIZE;
}
trailing_bytes = c->current_codec_second_size % TEA_BLOCK_SIZE;
if (trailing_bytes != 0) { // trailing bytes are left unencrypted!
avio_read(s->pb, src, trailing_bytes);
memcpy(buf + written, src, trailing_bytes);
written = written + trailing_bytes;
}
// update state
c->current_chapter_size = c->current_chapter_size - c->current_codec_second_size;
if (c->current_chapter_size <= 0)
c->current_chapter_size = 0;
ret = av_new_packet(pkt, written);
if (ret < 0)
return ret;
memcpy(pkt->data, buf, written);
return 0;
}
static int aa_probe(AVProbeData *p)
{
uint8_t *buf = p->buf;
// first 4 bytes are file size, next 4 bytes are the magic
if (AV_RB32(buf+4) != AA_MAGIC)
return 0;
return AVPROBE_SCORE_MAX / 2;
}
static int aa_read_close(AVFormatContext *s)
{
AADemuxContext *c = s->priv_data;
av_freep(&c->tea_ctx);
return 0;
}
#define OFFSET(x) offsetof(AADemuxContext, x)
static const AVOption aa_options[] = {
{ "aa_fixed_key", // extracted from libAAX_SDK.so and AAXSDKWin.dll files!
"Fixed key used for handling Audible AA files", OFFSET(aa_fixed_key),
AV_OPT_TYPE_BINARY, {.str="77214d4b196a87cd520045fd2a51d673"},
.flags = AV_OPT_FLAG_DECODING_PARAM },
{ NULL },
};
static const AVClass aa_class = {
.class_name = "aa",
.item_name = av_default_item_name,
.option = aa_options,
.version = LIBAVUTIL_VERSION_INT,
};
AVInputFormat ff_aa_demuxer = {
.name = "aa",
.long_name = NULL_IF_CONFIG_SMALL("Audible AA format files"),
.priv_class = &aa_class,
.priv_data_size = sizeof(AADemuxContext),
.extensions = "aa",
.read_probe = aa_probe,
.read_header = aa_read_header,
.read_packet = aa_read_packet,
.read_close = aa_read_close,
.flags = AVFMT_GENERIC_INDEX,
};