[FFmpeg-devel] [PATCH] DVB LATM parser

Michael Niedermayer michaelni
Wed Sep 17 20:24:48 CEST 2008


Hi

On Wed, Sep 17, 2008 at 04:57:46PM +1200, Paul Kendall wrote:
> On Wednesday 17 September 2008 12:51:18 Michael Niedermayer wrote:
> > On Fri, Jul 04, 2008 at 09:28:37AM +1200, Paul Kendall wrote:
> > > On Thursday 03 July 2008 22:16:56 Paul Kendall wrote:
> > > > Hi attached is a patch that provides a AAC LATM parser
> > > > CODEC_ID_AAC_LATM I have been working on. The libfaad decoder is also
> > > > patched to provide another codec the decoding for this codec id. There
> > > > are minor patches to mpeg.c & mpegts.c to send stream id 0x11 to this
> > > > codec id.
> > > >
> > > > With this patch I can get audio working perfectly for NZ DVB-T using
> > > > the stock unpatched libfaad2 library.
> > > >
> > > > I would welcome comments and suggestions so this can be included in the
> > > > ffmpeg codebase.
> > > >
> > > > Cheers,
> > > > Paul Kendall
> > >
> > > Doh!
> > > I missed a vital part of the patch! Putting the codec in the allcodecs.c
> > > file! Heres a modified patch.
> >
> > I think a parser is not the correct place to remove the LATM stuff. A
> > parser should only split things into frames and extract information, not
> > remove information.
> > This for example is important if one wants to preserve the LATM and mux it
> > into another container.
> > LATM could be removed in a bitstream filter ....
> 
> Ok, I can look into this. Is there any docs on this.

well ... the source code :)
but you can ask questions here if you have any, also keep in mind if the
bitstream filter API has any problems it could be changed ...

Also note that a LATM parser or some changes to the AAC parser might still be
required even with a bitstream filter, otherwise the AAC parser will likely
be confused by the LATM stuff ...

The idea is that the parser would split frames but not discard anything
the bitstream filter then would discard the LATM wraper. I hope that will
work out like that, LATM is a rather ugly thing.


> Also, can the mpegts code use a filter or will I have to look at making it 
> support that too?

any demuxer should be useable with the bitstream filter.
Note though we do not yet have code to automatically enable bitstream filters,
they have to be enabled by the user explicitly currently.


> 
> >
> > besides the code below is exploitable
> >
> > [...]
> >
> > > +static void readPayloadLengthInfo(AACParser *parser, GetBitContext *b)
> > > +{
> > > +    uint8_t tmp;
> > > +    if (parser->frameLengthType == 0) {
> > > +        parser->muxSlotLengthBytes = 0;
> > > +        do {
> > > +            tmp = get_bits(b, 8);
> > > +            parser->muxSlotLengthBytes += tmp;
> > > +        } while (tmp == 255);
> > > +    } else {
> > > +        if (parser->frameLengthType == 5 ||
> > > +            parser->frameLengthType == 7 ||
> > > +            parser->frameLengthType == 3) {
> > > +            get_bits(b, 2);
> > > +        }
> > > +    }
> > > +}
> >
> > [...]
> >
> > > +        readPayloadLengthInfo(parser, b);
> > > +
> > > +        // copy data
> > > +        for (j=0; j<parser->muxSlotLengthBytes; j++)
> > > +            *payload++ = get_bits(b, 8);
> > > +        *payloadsize = parser->muxSlotLengthBytes;
> >
> > [...]
> The exploit is that you could craft a packet that copies huge chunks of memory 
> to the output? 

yes


> i.e. the for loop is not checking that it overflow the 
> GetBitContext b?

overflowing whatever payload points too ...

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Democracy is the form of government in which you can choose your dictator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20080917/7cfacde4/attachment.pgp>



More information about the ffmpeg-devel mailing list