From 4c35bb53f94e4de88a0919346f24d34f8387771c Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 22 Oct 2022 16:41:41 -0300 Subject: [PATCH] avcodec/ac3_parser: improve false positive detection when parsing sync frames A two byte sync word is not enough to ensure we got a real syncframe, nor are all the range checks we do in the first seven bytes. Do therefore an integrity check for the sync frame in order to prevent the parser from filling avctx with bogus information. Signed-off-by: James Almer --- libavcodec/aac_ac3_parser.c | 4 ++++ libavcodec/aac_ac3_parser.h | 2 ++ libavcodec/ac3_parser.c | 1 + 3 files changed, 7 insertions(+) diff --git a/libavcodec/aac_ac3_parser.c b/libavcodec/aac_ac3_parser.c index 2974de1545..9ab979632d 100644 --- a/libavcodec/aac_ac3_parser.c +++ b/libavcodec/aac_ac3_parser.c @@ -114,6 +114,10 @@ get_next: buf_size -= hdr.frame_size; continue; } + /* Check for false positives since the syncword is not enough. + See section 6.1.2 of A/52. */ + if (av_crc(s->crc_ctx, 0, buf + 2, hdr.frame_size - 2)) + return i; break; } diff --git a/libavcodec/aac_ac3_parser.h b/libavcodec/aac_ac3_parser.h index 560bba54f5..bc16181a19 100644 --- a/libavcodec/aac_ac3_parser.h +++ b/libavcodec/aac_ac3_parser.h @@ -24,6 +24,7 @@ #define AVCODEC_AAC_AC3_PARSER_H #include +#include "libavutil/crc.h" #include "avcodec.h" #include "parser.h" @@ -42,6 +43,7 @@ typedef struct AACAC3ParseContext { int header_size; int (*sync)(uint64_t state, int *need_next_header, int *new_frame_start); + const AVCRC *crc_ctx; int remaining_size; uint64_t state; diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 8885e1c72e..13b8d3b7d8 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -246,6 +246,7 @@ static av_cold int ac3_parse_init(AVCodecParserContext *s1) { AACAC3ParseContext *s = s1->priv_data; s->header_size = AC3_HEADER_SIZE; + s->crc_ctx = av_crc_get_table(AV_CRC_16_ANSI); s->sync = ac3_sync; return 0; }