From patchwork Sat Jun 13 11:23:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 20325 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 2187644B245 for ; Sat, 13 Jun 2020 14:30:39 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0C72168B4BA; Sat, 13 Jun 2020 14:30:39 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-1.mx.upcmail.net (vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3272B68B4B4 for ; Sat, 13 Jun 2020 14:30:33 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jk4HH-0002I0-0H for ffmpeg-devel@ffmpeg.org; Sat, 13 Jun 2020 13:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id k4GJjOelb6Jy6k4GJjdjgH; Sat, 13 Jun 2020 13:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=emhf11hzAAAA:8 a=IM_zh3B_C3zWKMWvMhkA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=HLUCug_QN4oeKp6PugZw:22 a=pHzHmUro8NiASowvMSCR:22 a=n87TN5wuljxrRezIQYnT:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 13 Jun 2020 13:23:45 +0200 Message-Id: <20200613112345.13515-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200613112345.13515-1-michael@niedermayer.cc> References: <20200613112345.13515-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfE43Zd6IQCdXvPta5d5aq07lEnKQEcP+kYHGFPPwKPzqGpZXc63NyuImlvRjEvqWWVbm8weigXLyXwZhmPiAWR6NmkoeNKgkw0kFVZ1lzYtGb8UvxvLj UQIp09McRbjwiBttcsHi1tU1QwrFZv2MQ+/tzGeusaw4O0B4Lz7P27TG Subject: [FFmpeg-devel] [PATCH 5/5] avformat/oggdec: Disable mid stream codec changes X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The code crashes and neither the authors nor anyone else did fix this We cannot release code which crashes, so if noone fixes it, the only option left is to disable or revert. Revert is difficult as there are multiple commits afterwards Fixes: 22082/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5688619118624768 Fixes: crash from V-codecs/Theora/theora_testsuite_broken/multi2.ogg Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 9eb45499c6..1f3ed8024c 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -229,6 +229,15 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, char *magic, /* We only have a single stream anyway, so if there's a new stream with * a different codec just replace it */ os = &ogg->streams[0]; + if (os->codec != codec) { + /* + * The codec change code from 8296443a70f052a6f5c9a867d28b83a5eb7d304d and surounding commits + * crashes with out of array accesses + * testcase is https://samples.ffmpeg.org/V-codecs/Theora/theora_testsuite_broken/multi2.ogg + */ + return AVERROR_PATCHWELCOME; + } + os->serial = serial; os->codec = codec; os->serial = serial;