Message ID | CAPUDrwcVKR0VEfX9pG=o0f8NUx9-OFamPsWAPdrMxajvQBs2jw@mail.gmail.com |
---|---|
State | Superseded |
Headers | show |
2017-07-31 23:40 GMT+02:00 Dale Curtis <dalecurtis@chromium.org>:
> [mov] Bail when invalid sample data is present.
Could you provide such a sample?
Could the patch stop demuxing samples that are
supported so far?
Carl Eugen
Sample sent privately. I didn't find any non-fuzzer samples that no longer demux in our Chrome test corpus or in fate. - dale On Wed, Aug 2, 2017 at 1:43 PM, Carl Eugen Hoyos <ceffmpeg@gmail.com> wrote: > 2017-07-31 23:40 GMT+02:00 Dale Curtis <dalecurtis@chromium.org>: > > [mov] Bail when invalid sample data is present. > > Could you provide such a sample? > > Could the patch stop demuxing samples that are > supported so far? > > Carl Eugen > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >
+michael This patch is also necessary now that you've applied the ctts fixes in the previous patch. Thanks. - dale On Fri, Aug 4, 2017 at 4:04 PM, Dale Curtis <dalecurtis@chromium.org> wrote: > Sample sent privately. I didn't find any non-fuzzer samples that no longer > demux in our Chrome test corpus or in fate. > > - dale > > On Wed, Aug 2, 2017 at 1:43 PM, Carl Eugen Hoyos <ceffmpeg@gmail.com> > wrote: > >> 2017-07-31 23:40 GMT+02:00 Dale Curtis <dalecurtis@chromium.org>: >> > [mov] Bail when invalid sample data is present. >> >> Could you provide such a sample? >> >> Could the patch stop demuxing samples that are >> supported so far? >> >> Carl Eugen >> _______________________________________________ >> ffmpeg-devel mailing list >> ffmpeg-devel@ffmpeg.org >> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> > >
From e3b51516046255540c5a76b41e02cee7f0902541 Mon Sep 17 00:00:00 2001 From: Dale Curtis <dalecurtis@chromium.org> Date: Mon, 31 Jul 2017 13:44:22 -0700 Subject: [PATCH] [mov] Bail when invalid sample data is present. ctts data in ffmpeg relies on the index entries array to be 1:1 with samples... yet sc->sample_count can be read directly from the 'stsz' box and index entries are only generated if a chunk count has been read from 'stco' box. Ensure that if sc->sample_count > 0, sc->chunk_count is too. --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ab8e914581..5fe9bfac59 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3750,8 +3750,9 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->trak_index = -1; /* sanity checks */ - if (sc->chunk_count && (!sc->stts_count || !sc->stsc_count || - (!sc->sample_size && !sc->sample_count))) { + if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || + (!sc->sample_size && !sc->sample_count))) || + (!sc->chunk_count && sc->sample_count)) { av_log(c->fc, AV_LOG_ERROR, "stream %d, missing mandatory atoms, broken header\n", st->index); return 0; -- 2.14.0.rc0.400.g1c36432dff-goog