Message ID | 20220111023025.72632-1-13102179620@163.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] avformat/asfdec: init avpacket by av_packet_alloc() | expand |
Context | Check | Description |
---|---|---|
andriy/commit_msg_x86 | warning | Please wrap lines in the body of the commit message between 60 and 72 characters. |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/commit_msg_ppc | warning | Please wrap lines in the body of the commit message between 60 and 72 characters. |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
andriy/commit_msg_armv7_RPi4 | warning | Please wrap lines in the body of the commit message between 60 and 72 characters. |
andriy/make_armv7_RPi4 | success | Make finished |
andriy/make_fate_armv7_RPi4 | success | Make fate finished |
andriy/commit_msg_aarch64_jetson | warning | Please wrap lines in the body of the commit message between 60 and 72 characters. |
andriy/make_aarch64_jetson | success | Make finished |
andriy/make_fate_aarch64_jetson | success | Make fate finished |
On 1/10/2022 11:30 PM, 13102179620@163.com wrote: > From: Yang Xiao <yshaw99@outlook.com> > > This commit fixed a crash when seeking wma frames, asf decoder will try to demux in function asf_read_pts(). > Pointer member side_data of AVPacket that allocated by stack may be wild pointer. > Prevent releasing wild pointers in AVPacket when some functions try to call av_packet_unref, example av_read_frame(). > --- > libavformat/asfdec_f.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c > index a8f36ed286..8cf953830e 100644 > --- a/libavformat/asfdec_f.c > +++ b/libavformat/asfdec_f.c > @@ -1433,7 +1433,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, > { > FFFormatContext *const si = ffformatcontext(s); > ASFContext *asf = s->priv_data; > - AVPacket pkt1, *pkt = &pkt1; > + AVPacket *pkt = av_packet_alloc(); You're not checking pkt for allocation failure, and you're never freeing it after using it, so it will leak. > ASFStream *asf_st; > int64_t pts; > int64_t pos = *ppos;
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index a8f36ed286..8cf953830e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1433,7 +1433,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index, { FFFormatContext *const si = ffformatcontext(s); ASFContext *asf = s->priv_data; - AVPacket pkt1, *pkt = &pkt1; + AVPacket *pkt = av_packet_alloc(); ASFStream *asf_st; int64_t pts; int64_t pos = *ppos;
From: Yang Xiao <yshaw99@outlook.com> This commit fixed a crash when seeking wma frames, asf decoder will try to demux in function asf_read_pts(). Pointer member side_data of AVPacket that allocated by stack may be wild pointer. Prevent releasing wild pointers in AVPacket when some functions try to call av_packet_unref, example av_read_frame(). --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)