diff mbox

[FFmpeg-devel] lavf/segment: fix crash when failing to open segment list

Message ID 20170121021924.51394-1-rodger.combs@gmail.com
State Accepted
Commit 2b202900618d82030384d46c8d9c3dbf3fe1d7ed
Headers show

Commit Message

Rodger Combs Jan. 21, 2017, 2:19 a.m. UTC 
This happens because segment_end() returns an error, so seg_write_packet
never proceeds to segment_start(), and seg->avf->pb is never re-set,
so we crash with a null pb when av_write_trailer flushes the packet
queue.

This doesn't seem to be clearly recoverable, so I'm just failing more
gracefully.

Repro:
ffmpeg -i input.ts -f segment -c copy -segment_list /noaxx.m3u8 test-%05d.ts

(assuming you don't have write access to /)
---
 libavformat/segment.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer Jan. 21, 2017, 8:04 p.m. UTC | #1 
On Fri, Jan 20, 2017 at 08:19:24PM -0600, Rodger Combs wrote:
> This happens because segment_end() returns an error, so seg_write_packet
> never proceeds to segment_start(), and seg->avf->pb is never re-set,
> so we crash with a null pb when av_write_trailer flushes the packet
> queue.
> 
> This doesn't seem to be clearly recoverable, so I'm just failing more
> gracefully.
> 
> Repro:
> ffmpeg -i input.ts -f segment -c copy -segment_list /noaxx.m3u8 test-%05d.ts
> 
> (assuming you don't have write access to /)
> ---
>  libavformat/segment.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

LGTM

thx

[...]
diff mbox

Patch

diff --git a/libavformat/segment.c b/libavformat/segment.c
index 9b3dc178eb..9d471483b3 100644
--- a/libavformat/segment.c
+++ b/libavformat/segment.c
@@ -354,6 +354,9 @@  static int segment_end(AVFormatContext *s, int write_trailer, int is_last)
     int i;
     int err;
 
+    if (!oc || !oc->pb)
+        return AVERROR(EINVAL);
+
     av_write_frame(oc, NULL); /* Flush any buffered data (fragmented mp4) */
     if (write_trailer)
         ret = av_write_trailer(oc);
@@ -850,7 +853,7 @@  static int seg_write_packet(AVFormatContext *s, AVPacket *pkt)
     int64_t usecs;
     int64_t wrapped_val;
 
-    if (!seg->avf)
+    if (!seg->avf || !seg->avf->pb)
         return AVERROR(EINVAL);
 
 calc_times: