On 04/27/2013 06:19 PM, Anton Khirnov wrote: > > On Sat, 27 Apr 2013 11:38:10 +0200, Luca Barbato <[email protected]> wrote: >> Incomplete crypted files would lead to a read after buffer boundary >> otherwise. >> >> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >> CC: [email protected] >> --- >> >> This version should work better in the case we the patial packet >> isn't caused by an end of file. >> >> libavformat/omadec.c | 10 ++++++++-- >> 1 file changed, 8 insertions(+), 2 deletions(-) >> >> diff --git a/libavformat/omadec.c b/libavformat/omadec.c >> index b05a7d5..87d2576 100644 >> --- a/libavformat/omadec.c >> +++ b/libavformat/omadec.c >> @@ -402,6 +402,9 @@ static int oma_read_packet(AVFormatContext *s, AVPacket >> *pkt) >> int packet_size = s->streams[0]->codec->block_align; >> int ret = av_get_packet(s->pb, pkt, packet_size); >> >> + if (ret < packet_size) >> + pkt->flags |= AV_PKT_FLAG_CORRUPT; >> + >> if (ret <= 0) >> return AVERROR(EIO); >> >> @@ -410,8 +413,11 @@ static int oma_read_packet(AVFormatContext *s, AVPacket >> *pkt) >> if (oc->encrypted) { >> /* previous unencrypted block saved in IV for >> * the next packet (CBC mode) */ >> - av_des_crypt(&oc->av_des, pkt->data, pkt->data, >> - (packet_size >> 3), oc->iv, 1); >> + if (ret == packet_size) >> + av_des_crypt(&oc->av_des, pkt->data, pkt->data, >> + (packet_size >> 3), oc->iv, 1); >> + else >> + memset(oc->iv, 0, 8); > > s/8/sizeof(oc->iv)
It is common all over the code, maybe is better to patch the out in a single swipe before or after this patch. > Also I think an error message would be appropriate here. "Partial read, resetting the IV" ? lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
