Message ID | CAADho6O81rqy2e_8uAokMOC0XboLHHAoDgkTxnvfVBt+aodT3g@mail.gmail.com |
---|---|
State | New |
Headers | show |
On Fri, Mar 02, 2018 at 03:43:35PM -0800, Matthew Wolenetz wrote: > > mov.c | 3 +++ > 1 file changed, 3 insertions(+) > 6cffbdffaf318c72a8a3ea4d3c279c4126f5c0e2 0001-ffmpeg-Initialize-a-potential-gap-in-ctts_data-in-mo.patch > From c40925a0d3ec1397cd6ed7d29bae573c5bdf1ec2 Mon Sep 17 00:00:00 2001 > From: Matt Wolenetz <wolenetz@chromium.org> > Date: Fri, 2 Mar 2018 15:12:41 -0800 > Subject: [PATCH] ffmpeg: Initialize a potential gap in ctts_data in > mov_build_index > > mov_read_ctts ignores ctts entries having count <= 0. Generally, the > aggregate of all ctts entries' count fields resulting from mov_read_ctts > can be less than the corresponding sample_count. > > mov_build_index attempts to normalize any existing ctts_data counts to > be 1, to make a 1-1 mapping of a ctts_data entry to a sample. > > That 1-1 mapping left a tail of uninitialized ctts_data entries when the > aggregate, normalized ctts_count < sample_count. > > Even more generally, later usage of ctts_data may depend on the entire > ctts_allocated_size having been initialized. > > This change memsets the entire allocation of the normalized ctts_data in > mov_build_index, to prevent use of uninitialized data later. > > BUG=816787 > > Change-Id: I7fd7db255e3aeed076ee32c90cb2df211741c052 > Reviewed-on: https://chromium-review.googlesource.com/947110 > Reviewed-by: Xiaohan Wang <xhwang@chromium.org> will apply thx [...]
From c40925a0d3ec1397cd6ed7d29bae573c5bdf1ec2 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz <wolenetz@chromium.org> Date: Fri, 2 Mar 2018 15:12:41 -0800 Subject: [PATCH] ffmpeg: Initialize a potential gap in ctts_data in mov_build_index mov_read_ctts ignores ctts entries having count <= 0. Generally, the aggregate of all ctts entries' count fields resulting from mov_read_ctts can be less than the corresponding sample_count. mov_build_index attempts to normalize any existing ctts_data counts to be 1, to make a 1-1 mapping of a ctts_data entry to a sample. That 1-1 mapping left a tail of uninitialized ctts_data entries when the aggregate, normalized ctts_count < sample_count. Even more generally, later usage of ctts_data may depend on the entire ctts_allocated_size having been initialized. This change memsets the entire allocation of the normalized ctts_data in mov_build_index, to prevent use of uninitialized data later. BUG=816787 Change-Id: I7fd7db255e3aeed076ee32c90cb2df211741c052 Reviewed-on: https://chromium-review.googlesource.com/947110 Reviewed-by: Xiaohan Wang <xhwang@chromium.org> --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index f01116874c..05dfaf340e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3745,6 +3745,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) av_free(ctts_data_old); return; } + + memset((uint8_t*)(sc->ctts_data), 0, sc->ctts_allocated_size); + for (i = 0; i < ctts_count_old && sc->ctts_count < sc->sample_count; i++) for (j = 0; j < ctts_data_old[i].count && -- 2.16.2.395.g2e18187dfd-goog