[FFmpeg-cvslog] avformat/mp3dec: Require probing data to be 50% mp3 frames for low score probing to succeed

Michael Niedermayer git at videolan.org
Sun May 20 14:19:39 EEST 2018 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat May 12 18:33:27 2018 +0200| [60d179277972f2ab12ade0603e72f1eee9d15de8] | committer: Michael Niedermayer

avformat/mp3dec: Require probing data to be 50% mp3 frames for low score probing to succeed

This massively reduces the detection of random data as low score mp3
It may improve security by making it harder to read non multimedia data

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=60d179277972f2ab12ade0603e72f1eee9d15de8
---

 libavformat/mp3dec.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c
index a76fe32e59..a26714ebaf 100644
--- a/libavformat/mp3dec.c
+++ b/libavformat/mp3dec.c
@@ -71,6 +71,7 @@ static int mp3_read_probe(AVProbeData *p)
     int max_frames, first_frames = 0;
     int whole_used = 0;
     int frames, ret;
+    int framesizes, max_framesizes;
     uint32_t header;
     const uint8_t *buf, *buf0, *buf2, *end;
 
@@ -80,11 +81,12 @@ static int mp3_read_probe(AVProbeData *p)
         buf0++;
 
     max_frames = 0;
+    max_framesizes = 0;
     buf = buf0;
 
     for(; buf < end; buf= buf2+1) {
         buf2 = buf;
-        for(frames = 0; buf2 < end; frames++) {
+        for(framesizes = frames = 0; buf2 < end; frames++) {
             MPADecodeHeader h;
 
             header = AV_RB32(buf2);
@@ -92,8 +94,10 @@ static int mp3_read_probe(AVProbeData *p)
             if (ret != 0)
                 break;
             buf2 += h.frame_size;
+            framesizes += h.frame_size;
         }
         max_frames = FFMAX(max_frames, frames);
+        max_framesizes = FFMAX(max_framesizes, framesizes);
         if(buf == buf0) {
             first_frames= frames;
             if (buf2 == end + sizeof(uint32_t))
@@ -104,11 +108,11 @@ static int mp3_read_probe(AVProbeData *p)
     // issues with MPEG-files!
     if   (first_frames>=7) return AVPROBE_SCORE_EXTENSION + 1;
     else if(max_frames>200)return AVPROBE_SCORE_EXTENSION;
-    else if(max_frames>=4 && max_frames >= p->buf_size/10000) return AVPROBE_SCORE_EXTENSION / 2;
+    else if(max_frames>=4 && p->buf_size < 2*max_framesizes) return AVPROBE_SCORE_EXTENSION / 2;
     else if(ff_id3v2_match(buf0, ID3v2_DEFAULT_MAGIC) && 2*ff_id3v2_tag_len(buf0) >= p->buf_size)
                            return p->buf_size < PROBE_BUF_MAX ? AVPROBE_SCORE_EXTENSION / 4 : AVPROBE_SCORE_EXTENSION - 2;
     else if(first_frames > 1 && whole_used) return 5;
-    else if(max_frames>=1 && max_frames >= p->buf_size/10000) return 1;
+    else if(max_frames>=1 && p->buf_size < 2*max_framesizes) return 1;
     else                   return 0;
 //mpegps_mp3_unrecognized_format.mpg has max_frames=3
 }

More information about the ffmpeg-cvslog mailing list