Message ID | 20200810011023.17540-1-andreas.rheinhardt@gmail.com |
---|---|
State | Accepted |
Commit | 6e0dd41fa3cdfd4b31d2c03c52e926231d7b2e73 |
Headers | show |
Series | [FFmpeg-devel,1/3] avformat/mlvdec: Check for existence of AVIOContext before using it | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
Andreas Rheinhardt: > The mlv demuxer supports input split into multiple files; if invalid > data is encountered when parsing one of the subsequent files, that file > is closed. But at this point some index entries belonging to this file > might already have been added. In this case, the read_packet function > might try to use the AVIOContext (which is NULL) to read data which will > of course crash. This commit fixes this. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > As an alternative to patches 1 and 3 one could also just error out if > one of the subsequent files is bad. > > libavformat/mlvdec.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c > index 03aed71024..7c7ced7f76 100644 > --- a/libavformat/mlvdec.c > +++ b/libavformat/mlvdec.c > @@ -411,6 +411,10 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) > } > > pb = mlv->pb[st->index_entries[index].size]; > + if (!pb) { > + ret = FFERROR_REDO; > + goto next_packet; > + } > avio_seek(pb, st->index_entries[index].pos, SEEK_SET); > > avio_skip(pb, 4); // blockType > @@ -439,12 +443,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) > pkt->stream_index = mlv->stream_index; > pkt->pts = mlv->pts; > > + ret = 0; > +next_packet: > mlv->stream_index++; > if (mlv->stream_index == avctx->nb_streams) { > mlv->stream_index = 0; > mlv->pts++; > } > - return 0; > + return ret; > } > > static int read_seek(AVFormatContext *avctx, int stream_index, int64_t timestamp, int flags) > Will apply this patchset tomorrow unless there are objections. - Andreas
diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 03aed71024..7c7ced7f76 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -411,6 +411,10 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) } pb = mlv->pb[st->index_entries[index].size]; + if (!pb) { + ret = FFERROR_REDO; + goto next_packet; + } avio_seek(pb, st->index_entries[index].pos, SEEK_SET); avio_skip(pb, 4); // blockType @@ -439,12 +443,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) pkt->stream_index = mlv->stream_index; pkt->pts = mlv->pts; + ret = 0; +next_packet: mlv->stream_index++; if (mlv->stream_index == avctx->nb_streams) { mlv->stream_index = 0; mlv->pts++; } - return 0; + return ret; } static int read_seek(AVFormatContext *avctx, int stream_index, int64_t timestamp, int flags)
The mlv demuxer supports input split into multiple files; if invalid data is encountered when parsing one of the subsequent files, that file is closed. But at this point some index entries belonging to this file might already have been added. In this case, the read_packet function might try to use the AVIOContext (which is NULL) to read data which will of course crash. This commit fixes this. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- As an alternative to patches 1 and 3 one could also just error out if one of the subsequent files is bad. libavformat/mlvdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)