[FFmpeg-devel] [libav-devel] [PATCH] libopusdec: fix out-of-bounds read

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Thu Nov 24 02:06:35 EET 2016 

On 23.11.2016 03:07, Michael Niedermayer wrote:
> On Mon, Nov 14, 2016 at 09:55:15PM +0100, Andreas Cadhalpun wrote:
>>  libopusdec.c |    6 ++++++
>>  1 file changed, 6 insertions(+)
>> 0b663c14f4a6dae3e1da453239dbe429aef7886e  0001-libopusdec-default-to-stereo-for-invalid-number-of-c.patch
>> From d33ded293d15e8ceab666bea834d436f3a225bcc Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> Date: Mon, 14 Nov 2016 21:41:45 +0100
>> Subject: [PATCH] libopusdec: default to stereo for invalid number of channels
>>
>> This fixes an out-of-bounds read if avc->channels is 0.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>>  libavcodec/libopusdec.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c
>> index acc62f1..61f68ed 100644
>> --- a/libavcodec/libopusdec.c
>> +++ b/libavcodec/libopusdec.c
>> @@ -47,6 +47,12 @@ static av_cold int libopus_decode_init(AVCodecContext *avc)
>>      int ret, channel_map = 0, gain_db = 0, nb_streams, nb_coupled;
>>      uint8_t mapping_arr[8] = { 0, 1 }, *mapping;
>>  
>> +    if (avc->channels <= 0) {
>> +        av_log(avc, AV_LOG_WARNING,
>> +               "Invalid number of channels %d, defaulting to stereo\n", avc->channels);
>> +        avc->channels = 2;
>> +    }
> 
> This looks wrong
> 
> opusdec uses ff_opus_parse_extradata() to set the number of channels
> from extradata.
> 
> The value provided by the demuxer if any should not matter

However, extradata does not necessarily exist and in that case ff_opus_parse_extradata
defaults to stereo, unless the demuxer has set channels to 1.
This can also be done in libopusdec, but channels can still be 0, if the channel count
in extradata is 0, so the above default setting is needed regardless.

Attached is an updated patch.

Best regards,
Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-libopusdec-default-to-stereo-for-invalid-number-of-c.patch
Type: text/x-diff
Size: 1279 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20161124/c8f0fc94/attachment.patch>

More information about the ffmpeg-devel mailing list