diff options
| author | James Almer <jamrial@gmail.com> | 2019-04-25 19:04:01 -0300 |
|---|---|---|
| committer | James Almer <jamrial@gmail.com> | 2019-05-06 13:53:10 -0300 |
| commit | 82e1fb864b37a03b63aa43456d0b9f744bb409f5 (patch) | |
| tree | 4a4a07b0f018e066f36a101bbc7ff36df11ebbc5 | |
| parent | fc630d7b437b754cc9d4a848d2b32b0ff8c1a7d7 (diff) | |
| download | ffmpeg-82e1fb864b37a03b63aa43456d0b9f744bb409f5.tar.gz | |
avformat/aacdec: fix demuxing of small frames
10 bytes (id3v2 header amount of bytes) were being read before any checks
were made on the bitstream. The result was that we were overreading into
the next frame if the current one was 8 or 9 bytes long.
Fixes tickets #7271 and #7869.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d88193c2196cf5342424aaa7a44b046c71c2527a)
| -rw-r--r-- | libavformat/aacdec.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index 685458b911..e23abd0abf 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -20,6 +20,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "avio_internal.h" @@ -154,17 +155,8 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) { int ret, fsize; - // Parse all the ID3 headers between frames - while (1) { - ret = av_get_packet(s->pb, pkt, FFMAX(ID3v2_HEADER_SIZE, ADTS_HEADER_SIZE)); - if (ret >= ID3v2_HEADER_SIZE && ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { - if ((ret = handle_id3(s, pkt)) >= 0) { - continue; - } - } - break; - } - +retry: + ret = av_get_packet(s->pb, pkt, ADTS_HEADER_SIZE); if (ret < 0) return ret; @@ -174,8 +166,24 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) } if ((AV_RB16(pkt->data) >> 4) != 0xfff) { - av_packet_unref(pkt); - return AVERROR_INVALIDDATA; + // Parse all the ID3 headers between frames + int append = ID3v2_HEADER_SIZE - ADTS_HEADER_SIZE; + + av_assert2(append > 0); + ret = av_append_packet(s->pb, pkt, append); + if (ret != append) { + av_packet_unref(pkt); + return AVERROR(EIO); + } + if (!ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { + av_packet_unref(pkt); + return AVERROR_INVALIDDATA; + } + ret = handle_id3(s, pkt); + if (ret < 0) + return ret; + + goto retry; } fsize = (AV_RB32(pkt->data + 3) >> 13) & 0x1FFF; |