[FFmpeg-devel] [PATCH] DVB LATM parser

Paul Kendall paul
Wed Sep 17 06:57:46 CEST 2008 

On Wednesday 17 September 2008 12:51:18 Michael Niedermayer wrote:
> On Fri, Jul 04, 2008 at 09:28:37AM +1200, Paul Kendall wrote:
> > On Thursday 03 July 2008 22:16:56 Paul Kendall wrote:
> > > Hi attached is a patch that provides a AAC LATM parser
> > > CODEC_ID_AAC_LATM I have been working on. The libfaad decoder is also
> > > patched to provide another codec the decoding for this codec id. There
> > > are minor patches to mpeg.c & mpegts.c to send stream id 0x11 to this
> > > codec id.
> > >
> > > With this patch I can get audio working perfectly for NZ DVB-T using
> > > the stock unpatched libfaad2 library.
> > >
> > > I would welcome comments and suggestions so this can be included in the
> > > ffmpeg codebase.
> > >
> > > Cheers,
> > > Paul Kendall
> >
> > Doh!
> > I missed a vital part of the patch! Putting the codec in the allcodecs.c
> > file! Heres a modified patch.
>
> I think a parser is not the correct place to remove the LATM stuff. A
> parser should only split things into frames and extract information, not
> remove information.
> This for example is important if one wants to preserve the LATM and mux it
> into another container.
> LATM could be removed in a bitstream filter ....

Ok, I can look into this. Is there any docs on this.
Also, can the mpegts code use a filter or will I have to look at making it 
support that too?

>
> besides the code below is exploitable
>
> [...]
>
> > +static void readPayloadLengthInfo(AACParser *parser, GetBitContext *b)
> > +{
> > +    uint8_t tmp;
> > +    if (parser->frameLengthType == 0) {
> > +        parser->muxSlotLengthBytes = 0;
> > +        do {
> > +            tmp = get_bits(b, 8);
> > +            parser->muxSlotLengthBytes += tmp;
> > +        } while (tmp == 255);
> > +    } else {
> > +        if (parser->frameLengthType == 5 ||
> > +            parser->frameLengthType == 7 ||
> > +            parser->frameLengthType == 3) {
> > +            get_bits(b, 2);
> > +        }
> > +    }
> > +}
>
> [...]
>
> > +        readPayloadLengthInfo(parser, b);
> > +
> > +        // copy data
> > +        for (j=0; j<parser->muxSlotLengthBytes; j++)
> > +            *payload++ = get_bits(b, 8);
> > +        *payloadsize = parser->muxSlotLengthBytes;
>
> [...]
The exploit is that you could craft a packet that copies huge chunks of memory 
to the output? i.e. the for loop is not checking that it overflow the 
GetBitContext b?

Cheers,
Paul

More information about the ffmpeg-devel mailing list