diff mbox

[FFmpeg-devel,5/5] avformat/mpeg: Don't use unintialized value

Message ID 20191022131645.8394-5-andreas.rheinhardt@gmail.com
State Accepted
Headers show

Commit Message

Andreas Rheinhardt Oct. 22, 2019, 1:16 p.m. UTC 
vobsub_read_packet() didn't check whether an index in array of AVPackets
was valid and therefore used uninitialized values.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
Actually I only wanted to use Valgrind to check for memleaks...

 libavformat/mpeg.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Andreas Rheinhardt Jan. 18, 2020, 6:45 p.m. UTC | #1 
On Tue, Oct 22, 2019 at 3:17 PM Andreas Rheinhardt <
andreas.rheinhardt@gmail.com> wrote:

> vobsub_read_packet() didn't check whether an index in array of AVPackets
> was valid and therefore used uninitialized values.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> ---
> Actually I only wanted to use Valgrind to check for memleaks...
>
>  libavformat/mpeg.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
> index 73ade71d95..474afd06b9 100644
> --- a/libavformat/mpeg.c
> +++ b/libavformat/mpeg.c
> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s,
> AVPacket *pkt)
>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>          int64_t ts;
>          av_assert0(tmpq->nb_subs);
> +
> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
> +            continue;
> +
>          ts = tmpq->subs[tmpq->current_sub_idx].pts;
>          if (ts < min_ts) {
>              min_ts = ts;
> --
> 2.20.1
>
>
Ping.

- Andreas
Michael Niedermayer Jan. 19, 2020, 11:56 a.m. UTC | #2 
On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
> vobsub_read_packet() didn't check whether an index in array of AVPackets
> was valid and therefore used uninitialized values.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> ---
> Actually I only wanted to use Valgrind to check for memleaks...
> 
>  libavformat/mpeg.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
> index 73ade71d95..474afd06b9 100644
> --- a/libavformat/mpeg.c
> +++ b/libavformat/mpeg.c
> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>          int64_t ts;
>          av_assert0(tmpq->nb_subs);
> +
> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
> +            continue;

How can this issue be reproduced ?

thx

[...]
Andreas Rheinhardt Jan. 19, 2020, 2:43 p.m. UTC | #3 
Michael Niedermayer:
> On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
>> vobsub_read_packet() didn't check whether an index in array of AVPackets
>> was valid and therefore used uninitialized values.
>>
>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
>> ---
>> Actually I only wanted to use Valgrind to check for memleaks...
>>
>>  libavformat/mpeg.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
>> index 73ade71d95..474afd06b9 100644
>> --- a/libavformat/mpeg.c
>> +++ b/libavformat/mpeg.c
>> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
>>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>>          int64_t ts;
>>          av_assert0(tmpq->nb_subs);
>> +
>> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
>> +            continue;
> 
> How can this issue be reproduced ?
> 
> thx
> 
> [...]

Read a VobSub subtitle till the end:
ffmpeg -i <idx input file> -c copy -f null -

- Andreas
Andreas Rheinhardt March 1, 2020, 9:22 p.m. UTC | #4 
On Sun, Jan 19, 2020 at 3:44 PM Andreas Rheinhardt <
andreas.rheinhardt@gmail.com> wrote:

> Michael Niedermayer:
> > On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
> >> vobsub_read_packet() didn't check whether an index in array of AVPackets
> >> was valid and therefore used uninitialized values.
> >>
> >> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> >> ---
> >> Actually I only wanted to use Valgrind to check for memleaks...
> >>
> >>  libavformat/mpeg.c | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
> >> index 73ade71d95..474afd06b9 100644
> >> --- a/libavformat/mpeg.c
> >> +++ b/libavformat/mpeg.c
> >> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s,
> AVPacket *pkt)
> >>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
> >>          int64_t ts;
> >>          av_assert0(tmpq->nb_subs);
> >> +
> >> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
> >> +            continue;
> >
> > How can this issue be reproduced ?
> >
> > thx
> >
> > [...]
>
> Read a VobSub subtitle till the end:
> ffmpeg -i <idx input file> -c copy -f null -
>
> - Andreas
>

Ping.

- Andreas
Andreas Rheinhardt March 14, 2020, 6:24 p.m. UTC | #5 
Andreas Rheinhardt:
> On Sun, Jan 19, 2020 at 3:44 PM Andreas Rheinhardt <
> andreas.rheinhardt@gmail.com> wrote:
> 
>> Michael Niedermayer:
>>> On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
>>>> vobsub_read_packet() didn't check whether an index in array of AVPackets
>>>> was valid and therefore used uninitialized values.
>>>>
>>>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
>>>> ---
>>>> Actually I only wanted to use Valgrind to check for memleaks...
>>>>
>>>>  libavformat/mpeg.c | 4 ++++
>>>>  1 file changed, 4 insertions(+)
>>>>
>>>> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
>>>> index 73ade71d95..474afd06b9 100644
>>>> --- a/libavformat/mpeg.c
>>>> +++ b/libavformat/mpeg.c
>>>> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s,
>> AVPacket *pkt)
>>>>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>>>>          int64_t ts;
>>>>          av_assert0(tmpq->nb_subs);
>>>> +
>>>> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
>>>> +            continue;
>>>
>>> How can this issue be reproduced ?
>>>
>>> thx
>>>
>>> [...]
>>
>> Read a VobSub subtitle till the end:
>> ffmpeg -i <idx input file> -c copy -f null -
>>
>> - Andreas
>>
> 
> Ping.
> 
> - Andreas
> 
Ping.

- Andreas
Michael Niedermayer March 15, 2020, 2:59 p.m. UTC | #6 
On Sun, Jan 19, 2020 at 02:43:00PM +0000, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
> >> vobsub_read_packet() didn't check whether an index in array of AVPackets
> >> was valid and therefore used uninitialized values.
> >>
> >> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> >> ---
> >> Actually I only wanted to use Valgrind to check for memleaks...
> >>
> >>  libavformat/mpeg.c | 4 ++++
> >>  1 file changed, 4 insertions(+)
> >>
> >> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
> >> index 73ade71d95..474afd06b9 100644
> >> --- a/libavformat/mpeg.c
> >> +++ b/libavformat/mpeg.c
> >> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
> >>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
> >>          int64_t ts;
> >>          av_assert0(tmpq->nb_subs);
> >> +
> >> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
> >> +            continue;
> > 
> > How can this issue be reproduced ?
> > 
> > thx
> > 
> > [...]
> 
> Read a VobSub subtitle till the end:
> ffmpeg -i <idx input file> -c copy -f null -

does not reproduce

./ffmpeg  -i fate/sub/vobsub.idx  -c copy   -f null -
Output file #0 does not contain any stream
code does not execute

./ffmpeg  -i fate/sub/vobsub.idx  -c copy -map s  -f null -
the if does not execute

iam obviously doing something wrong, can you provide a unambigous testcase?

Thanks

[...]
Andreas Rheinhardt March 18, 2020, 3:35 a.m. UTC | #7 
Michael Niedermayer:
> On Sun, Jan 19, 2020 at 02:43:00PM +0000, Andreas Rheinhardt wrote:
>> Michael Niedermayer:
>>> On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
>>>> vobsub_read_packet() didn't check whether an index in array of AVPackets
>>>> was valid and therefore used uninitialized values.
>>>>
>>>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
>>>> ---
>>>> Actually I only wanted to use Valgrind to check for memleaks...
>>>>
>>>>  libavformat/mpeg.c | 4 ++++
>>>>  1 file changed, 4 insertions(+)
>>>>
>>>> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
>>>> index 73ade71d95..474afd06b9 100644
>>>> --- a/libavformat/mpeg.c
>>>> +++ b/libavformat/mpeg.c
>>>> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
>>>>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>>>>          int64_t ts;
>>>>          av_assert0(tmpq->nb_subs);
>>>> +
>>>> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
>>>> +            continue;
>>>
>>> How can this issue be reproduced ?
>>>
>>> thx
>>>
>>> [...]
>>
>> Read a VobSub subtitle till the end:
>> ffmpeg -i <idx input file> -c copy -f null -
> 
> does not reproduce
> 
> ./ffmpeg  -i fate/sub/vobsub.idx  -c copy   -f null -
> Output file #0 does not contain any stream
> code does not execute

Sorry, I forgot that subtitle streams are not enabled by default.
> 
> ./ffmpeg  -i fate/sub/vobsub.idx  -c copy -map s  -f null -
> the if does not execute
> 
> iam obviously doing something wrong, can you provide a unambigous testcase?
> 
You are not doing anything wrong; it's just that the sample is
truncated: The idx file claims to contain 47 packets, yet the sub file
contains only 46. As a result, trying to read the 47. packet (the last
packet that exists in the FFDemuxSubtitlesQueue) fails and no attempt to
read another packet (which would trigger what I told you) is attempted.

You can reproduce this by deleting the last line in vobsub.idx.

- Andreas
Andreas Rheinhardt March 29, 2020, 10:23 a.m. UTC | #8 
Andreas Rheinhardt:
> Michael Niedermayer:
>> On Sun, Jan 19, 2020 at 02:43:00PM +0000, Andreas Rheinhardt wrote:
>>> Michael Niedermayer:
>>>> On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
>>>>> vobsub_read_packet() didn't check whether an index in array of AVPackets
>>>>> was valid and therefore used uninitialized values.
>>>>>
>>>>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
>>>>> ---
>>>>> Actually I only wanted to use Valgrind to check for memleaks...
>>>>>
>>>>>  libavformat/mpeg.c | 4 ++++
>>>>>  1 file changed, 4 insertions(+)
>>>>>
>>>>> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
>>>>> index 73ade71d95..474afd06b9 100644
>>>>> --- a/libavformat/mpeg.c
>>>>> +++ b/libavformat/mpeg.c
>>>>> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
>>>>>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>>>>>          int64_t ts;
>>>>>          av_assert0(tmpq->nb_subs);
>>>>> +
>>>>> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
>>>>> +            continue;
>>>>
>>>> How can this issue be reproduced ?
>>>>
>>>> thx
>>>>
>>>> [...]
>>>
>>> Read a VobSub subtitle till the end:
>>> ffmpeg -i <idx input file> -c copy -f null -
>>
>> does not reproduce
>>
>> ./ffmpeg  -i fate/sub/vobsub.idx  -c copy   -f null -
>> Output file #0 does not contain any stream
>> code does not execute
> 
> Sorry, I forgot that subtitle streams are not enabled by default.
>>
>> ./ffmpeg  -i fate/sub/vobsub.idx  -c copy -map s  -f null -
>> the if does not execute
>>
>> iam obviously doing something wrong, can you provide a unambigous testcase?
>>
> You are not doing anything wrong; it's just that the sample is
> truncated: The idx file claims to contain 47 packets, yet the sub file
> contains only 46. As a result, trying to read the 47. packet (the last
> packet that exists in the FFDemuxSubtitlesQueue) fails and no attempt to
> read another packet (which would trigger what I told you) is attempted.
> 
> You can reproduce this by deleting the last line in vobsub.idx.
> 
> - Andreas
> 
Ping.

- Andreas
Andreas Rheinhardt April 8, 2020, 5:53 p.m. UTC | #9 
Andreas Rheinhardt:
> Andreas Rheinhardt:
>> Michael Niedermayer:
>>> On Sun, Jan 19, 2020 at 02:43:00PM +0000, Andreas Rheinhardt wrote:
>>>> Michael Niedermayer:
>>>>> On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
>>>>>> vobsub_read_packet() didn't check whether an index in array of AVPackets
>>>>>> was valid and therefore used uninitialized values.
>>>>>>
>>>>>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
>>>>>> ---
>>>>>> Actually I only wanted to use Valgrind to check for memleaks...
>>>>>>
>>>>>>  libavformat/mpeg.c | 4 ++++
>>>>>>  1 file changed, 4 insertions(+)
>>>>>>
>>>>>> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
>>>>>> index 73ade71d95..474afd06b9 100644
>>>>>> --- a/libavformat/mpeg.c
>>>>>> +++ b/libavformat/mpeg.c
>>>>>> @@ -930,6 +930,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
>>>>>>          FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
>>>>>>          int64_t ts;
>>>>>>          av_assert0(tmpq->nb_subs);
>>>>>> +
>>>>>> +        if (tmpq->current_sub_idx >= tmpq->nb_subs)
>>>>>> +            continue;
>>>>>
>>>>> How can this issue be reproduced ?
>>>>>
>>>>> thx
>>>>>
>>>>> [...]
>>>>
>>>> Read a VobSub subtitle till the end:
>>>> ffmpeg -i <idx input file> -c copy -f null -
>>>
>>> does not reproduce
>>>
>>> ./ffmpeg  -i fate/sub/vobsub.idx  -c copy   -f null -
>>> Output file #0 does not contain any stream
>>> code does not execute
>>
>> Sorry, I forgot that subtitle streams are not enabled by default.
>>>
>>> ./ffmpeg  -i fate/sub/vobsub.idx  -c copy -map s  -f null -
>>> the if does not execute
>>>
>>> iam obviously doing something wrong, can you provide a unambigous testcase?
>>>
>> You are not doing anything wrong; it's just that the sample is
>> truncated: The idx file claims to contain 47 packets, yet the sub file
>> contains only 46. As a result, trying to read the 47. packet (the last
>> packet that exists in the FFDemuxSubtitlesQueue) fails and no attempt to
>> read another packet (which would trigger what I told you) is attempted.
>>
>> You can reproduce this by deleting the last line in vobsub.idx.
>>
>> - Andreas
>>
> Ping.
> 
> - Andreas
> 
Ping.

- Andreas
Michael Niedermayer April 9, 2020, 9:02 a.m. UTC | #10 
On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
> vobsub_read_packet() didn't check whether an index in array of AVPackets
> was valid and therefore used uninitialized values.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> ---
> Actually I only wanted to use Valgrind to check for memleaks...
> 
>  libavformat/mpeg.c | 4 ++++
>  1 file changed, 4 insertions(+)

LGTM

thx

[...]
Andreas Rheinhardt April 9, 2020, 1:29 p.m. UTC | #11 
Michael Niedermayer:
> On Tue, Oct 22, 2019 at 03:16:45PM +0200, Andreas Rheinhardt wrote:
>> vobsub_read_packet() didn't check whether an index in array of AVPackets
>> was valid and therefore used uninitialized values.
>>
>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
>> ---
>> Actually I only wanted to use Valgrind to check for memleaks...
>>
>>  libavformat/mpeg.c | 4 ++++
>>  1 file changed, 4 insertions(+)
> 
> LGTM
> 
> thx
> 
Applied, thanks.

- Andreas
diff mbox

Patch

diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
index 73ade71d95..474afd06b9 100644
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -930,6 +930,10 @@  static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt)
         FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i];
         int64_t ts;
         av_assert0(tmpq->nb_subs);
+
+        if (tmpq->current_sub_idx >= tmpq->nb_subs)
+            continue;
+
         ts = tmpq->subs[tmpq->current_sub_idx].pts;
         if (ts < min_ts) {
             min_ts = ts;