[FFmpeg-devel] avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream

Submitted by Michael Niedermayer on Feb. 12, 2019, 10:28 p.m.

Details

Message ID 20190212222835.27755-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Feb. 12, 2019, 10:28 p.m.
Fixes: NULL pointer dereference
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5634316373721088

Reported-by: Chris Cunningham <chcunningham@google.com>
Reviewed-by: Chris Cunningham <chcunningham@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Derek Buitenhuis Feb. 13, 2019, 12:16 p.m.
On 12/02/2019 22:28, Michael Niedermayer wrote:
> @@ -5048,7 +5048,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>          for (i = 0; i < c->fc->nb_streams; i++) {
>              st = c->fc->streams[i];
>              sc = st->priv_data;
> -            if (!sc->has_sidx) {
> +            if (ref_st && !sc->has_sidx) {
>                  st->duration = sc->track_end = av_rescale(ref_st->duration, sc->time_scale, ref_sc->time_scale);
>              }
>          }

Is it perhaps better to not run this loop at all if ref_sc or ref_st do not exist?

- Derek
Michael Niedermayer Feb. 14, 2019, 2:30 p.m.
On Wed, Feb 13, 2019 at 12:16:36PM +0000, Derek Buitenhuis wrote:
> On 12/02/2019 22:28, Michael Niedermayer wrote:
> > @@ -5048,7 +5048,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >          for (i = 0; i < c->fc->nb_streams; i++) {
> >              st = c->fc->streams[i];
> >              sc = st->priv_data;
> > -            if (!sc->has_sidx) {
> > +            if (ref_st && !sc->has_sidx) {
> >                  st->duration = sc->track_end = av_rescale(ref_st->duration, sc->time_scale, ref_sc->time_scale);
> >              }
> >          }
> 
> Is it perhaps better to not run this loop at all if ref_sc or ref_st do not exist?

will commit with the check moved to the loop

thanks

[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 73a5ec240e..6aaba1e290 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5048,7 +5048,7 @@  static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         for (i = 0; i < c->fc->nb_streams; i++) {
             st = c->fc->streams[i];
             sc = st->priv_data;
-            if (!sc->has_sidx) {
+            if (ref_st && !sc->has_sidx) {
                 st->duration = sc->track_end = av_rescale(ref_st->duration, sc->time_scale, ref_sc->time_scale);
             }
         }