| Message ID | 20240310180719.8902-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | cb9752d897de17212a7a3ce54ad3e16b377b22c0 |
| Headers | show |
| Series | [FFmpeg-devel] avformat/mpegts: Reset local nb_prg on add_program() failure | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
On Sun, Mar 10, 2024 at 07:07:19PM +0100, Michael Niedermayer wrote: > add_program() will deallocate the whole array on failure so > we must clear nb_prgs > > Fixes: null pointer dereference > Fixes: crash-35a3b39ddcc5babeeb005b7399a3a1217c8781bc > > Found-by: Catena cyber > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mpegts.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) will apply [...]
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index de7a3c8b45..320926248b 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2605,7 +2605,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len FFSWAP(struct Program, ts->prg[nb_prg], ts->prg[prg_idx]); if (prg_idx >= nb_prg) nb_prg++; - } + } else + nb_prg = 0; } } ts->nb_prg = nb_prg;
add_program() will deallocate the whole array on failure so we must clear nb_prgs Fixes: null pointer dereference Fixes: crash-35a3b39ddcc5babeeb005b7399a3a1217c8781bc Found-by: Catena cyber Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mpegts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)