diff mbox

[FFmpeg-devel] mov: only read e_old if there were any old streams

Message ID 41ecbe4f-8f70-809f-7d75-1012277f0b97@googlemail.com
State Superseded
Headers show

Commit Message

Andreas Cadhalpun Oct. 30, 2016, 7:11 p.m. UTC
This fixes a heap buffer overflow.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Sasi Inguva Oct. 31, 2016, 6:20 p.m. UTC | #1
First of all, if nb_old == 0 i.e. there are no entries in AVIndex, then
there is no point in calling mov_fix_index function at all. So instead of
doing the above , you can directly check for st->nb_index_entries > 0 at
the top of mov_fix_index and return otherwise.

Also, I don't understand how nb_old==0 can cause heap overflow. If I read
the code correctly, if nb_old==0  find_prev_closest_keyframe_index , should
return -1, which would make the function skip that edit list here

        if (index
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavformat/mov.c?l=2968&ct=xref_jump_to_def&cl=GROK&gsn=index>
== -1) {            av_log
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavutil/log.h?l=234&ct=xref_jump_to_def&cl=GROK&gsn=av_log>(mov
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavformat/mov.c?l=2949&ct=xref_jump_to_def&cl=GROK&gsn=mov>->fc
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavformat/isom.h?l=196&ct=xref_jump_to_def&cl=GROK&gsn=fc>,
AV_LOG_ERROR <https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavutil/log.h?l=176&ct=xref_jump_to_def&cl=GROK&gsn=AV_LOG_ERROR>,
"Missing key frame while reordering index according to edit list\n");
          continue;        }


On Sun, Oct 30, 2016 at 12:11 PM, Andreas Cadhalpun <
andreas.cadhalpun@googlemail.com> wrote:

> This fixes a heap buffer overflow.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> ---
>  libavformat/mov.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 357d800..95b546e 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -3028,7 +3028,7 @@ static void mov_fix_index(MOVContext *mov, AVStream
> *st)
>              // Audio decoders like AAC need need a decoder delay samples
> previous to the current sample,
>              // to correctly decode this frame. Hence for audio we seek to
> a frame 1 sec. before the
>              // edit_list_media_time to cover the decoder delay.
> -            search_timestamp = FFMAX(search_timestamp - mov->time_scale,
> e_old[0].timestamp);
> +            search_timestamp = FFMAX(search_timestamp - mov->time_scale,
> nb_old ? e_old[0].timestamp : INT64_MIN);
>          }
>
>          index = find_prev_closest_keyframe_index(st, e_old, nb_old,
> search_timestamp, 0);
> --
> 2.10.1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
diff mbox

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 357d800..95b546e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3028,7 +3028,7 @@  static void mov_fix_index(MOVContext *mov, AVStream *st)
             // Audio decoders like AAC need need a decoder delay samples previous to the current sample,
             // to correctly decode this frame. Hence for audio we seek to a frame 1 sec. before the
             // edit_list_media_time to cover the decoder delay.
-            search_timestamp = FFMAX(search_timestamp - mov->time_scale, e_old[0].timestamp);
+            search_timestamp = FFMAX(search_timestamp - mov->time_scale, nb_old ? e_old[0].timestamp : INT64_MIN);
         }
 
         index = find_prev_closest_keyframe_index(st, e_old, nb_old, search_timestamp, 0);