Message ID | 20201020110334.197116-1-andreas.rheinhardt@gmail.com |
---|---|
State | Accepted |
Commit | 96ad55df5bfa594defa2d57970686df3106a9ffa |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/hlsenc: Fix extradata length check | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
Andreas Rheinhardt <andreas.rheinhardt@gmail.com> 于2020年10月20日周二 下午7:03写道: > > Commit a2b1dd0ce301450a47c972745a6b33c4c273aa5d added support for > parsing annex B HEVC extradata to extract profile and level information. > Yet it only checks for there to be enough data left for the startcode > and the first byte of the NAL unit header and not for the full NAL unit > header; it simply presumes the second byte of the NAL unit header to be > present and skips it. Then the remaining size of the extradata is calculated > which ends up negative if the second byte of the NAL unit header is not > present. Yet when calling ff_nal_unit_extract_rbsp() it > will be converted to an uint32_t and end up as UINT32_MAX which > will cause mayhem. > > This is solved by making sure that there is always enough remaining > extradata that could (pending 0x03 escapes) contain the data that we > are interested in. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > libavformat/hlsenc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c > index 8e4cc36d50..49c4ab5966 100644 > --- a/libavformat/hlsenc.c > +++ b/libavformat/hlsenc.c > @@ -349,7 +349,7 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) > level = st->codecpar->level; > > /* check the boundary of data which from current position is small than extradata_size */ > - while (data && (data - st->codecpar->extradata + 5) < st->codecpar->extradata_size) { > + while (data && (data - st->codecpar->extradata + 19) < st->codecpar->extradata_size) { > /* get HEVC SPS NAL and seek to profile_tier_level */ > if (!(data[0] | data[1] | data[2]) && data[3] == 1 && ((data[4] & 0x42) == 0x42)) { > int remain_size = 0; > -- > 2.25.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". LGTM Thanks Steven
diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 8e4cc36d50..49c4ab5966 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -349,7 +349,7 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) level = st->codecpar->level; /* check the boundary of data which from current position is small than extradata_size */ - while (data && (data - st->codecpar->extradata + 5) < st->codecpar->extradata_size) { + while (data && (data - st->codecpar->extradata + 19) < st->codecpar->extradata_size) { /* get HEVC SPS NAL and seek to profile_tier_level */ if (!(data[0] | data[1] | data[2]) && data[3] == 1 && ((data[4] & 0x42) == 0x42)) { int remain_size = 0;
Commit a2b1dd0ce301450a47c972745a6b33c4c273aa5d added support for parsing annex B HEVC extradata to extract profile and level information. Yet it only checks for there to be enough data left for the startcode and the first byte of the NAL unit header and not for the full NAL unit header; it simply presumes the second byte of the NAL unit header to be present and skips it. Then the remaining size of the extradata is calculated which ends up negative if the second byte of the NAL unit header is not present. Yet when calling ff_nal_unit_extract_rbsp() it will be converted to an uint32_t and end up as UINT32_MAX which will cause mayhem. This is solved by making sure that there is always enough remaining extradata that could (pending 0x03 escapes) contain the data that we are interested in. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)