diff options
| author | ShuangxiLi <lishuangxi@huawei.com> | 2022-07-02 15:40:57 +0800 |
|---|---|---|
| committer | Marton Balint <cus@passwd.hu> | 2022-07-12 18:48:54 +0200 |
| commit | 046b05082dee1df500fc36b3db884101f7449383 (patch) | |
| tree | 8930b4ad434542764032369c46b8b3ad194dd59f | |
| parent | 9222965fdd9594ff9e921d4ad25beac4eefa2373 (diff) | |
| download | ffmpeg-046b05082dee1df500fc36b3db884101f7449383.tar.gz | |
avformat/mov: fix possible crash in cenc_scheme_decrypt
Data does not have to be decrypted in 16-byte blocks for AES-CTR mode, so
existing buggy code can be hugely simplified.
Fixes ticket #9829.
Signed-off-by: Marton Balint <cus@passwd.hu>
| -rw-r--r-- | libavformat/mov.c | 29 |
1 files changed, 2 insertions, 27 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index 6eb631d45b..29828ea7e6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6824,9 +6824,6 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption { int i, ret; int bytes_of_protected_data; - int partially_encrypted_block_size; - uint8_t *partially_encrypted_block; - uint8_t block[16]; if (!sc->cenc.aes_ctr) { /* initialize the cipher */ @@ -6849,8 +6846,6 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption return 0; } - partially_encrypted_block_size = 0; - for (i = 0; i < sample->subsample_count; i++) { if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); @@ -6863,28 +6858,8 @@ static int cenc_scheme_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryption /* decrypt the encrypted bytes */ - if (partially_encrypted_block_size) { - memcpy(block, partially_encrypted_block, partially_encrypted_block_size); - memcpy(block+partially_encrypted_block_size, input, 16-partially_encrypted_block_size); - av_aes_ctr_crypt(sc->cenc.aes_ctr, block, block, 16); - memcpy(partially_encrypted_block, block, partially_encrypted_block_size); - memcpy(input, block+partially_encrypted_block_size, 16-partially_encrypted_block_size); - input += 16-partially_encrypted_block_size; - size -= 16-partially_encrypted_block_size; - bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data - (16-partially_encrypted_block_size); - } else { - bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data; - } - - if (i < sample->subsample_count-1) { - int num_of_encrypted_blocks = bytes_of_protected_data/16; - partially_encrypted_block_size = bytes_of_protected_data%16; - if (partially_encrypted_block_size) - partially_encrypted_block = input + 16*num_of_encrypted_blocks; - av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, 16*num_of_encrypted_blocks); - } else { - av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, bytes_of_protected_data); - } + bytes_of_protected_data = sample->subsamples[i].bytes_of_protected_data; + av_aes_ctr_crypt(sc->cenc.aes_ctr, input, input, bytes_of_protected_data); input += bytes_of_protected_data; size -= bytes_of_protected_data; |