[FFmpeg-devel] Fix for PES packets with too much padding

PES packet with too much padding trigger unlimited error
messages "PES packet size mismatch" because the code that
corrects the length is wrong.
Here is a sample file: http://99.93.62.129/smpte2038.ts
PID 300 is the one triggering the errors.
I am attaching a patch that fixes the problem.
Subject: [PATCH] Fix setting the correct size for PES packets with too much
 padding

---
 libavformat/mpegts.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

August 3, 2021 10:07 AM, "Sergio M. Ammirata, Ph.D." <sergio@ammirata.net> wrote:

> PES packet with too much padding trigger unlimited error
> messages "PES packet size mismatch" because the code that
> corrects the length is wrong.
> Here is a sample file: http://99.93.62.129/smpte2038.ts
> PID 300 is the one triggering the errors.
> I am attaching a patch that fixes the problem.
> 
On the if statement right above your change,  are you sure that the condition should still be buf_size > pes->total_size? Especially if the old change was just buf_size = pes->total_size (so clipping according to condition); and the new one is setting it to something different. 

thx for patch.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

On Tue, Aug 03, 2021 at 10:07:34AM -0400, Sergio M. Ammirata, Ph.D. wrote:
> PES packet with too much padding trigger unlimited error
> messages "PES packet size mismatch" because the code that
> corrects the length is wrong.
> Here is a sample file: http://99.93.62.129/smpte2038.ts
> PID 300 is the one triggering the errors.
> I am attaching a patch that fixes the problem.
> 

>  mpegts.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 8f8c73a5e78d7c740958054764defa3571979fc4  0001-Fix-setting-the-correct-size-for-PES-packets-with-to.patch
> From 3a2760d42b38023c73f9a3ab18de01a44526dbc9 Mon Sep 17 00:00:00 2001
> From: Sergio Ammirata <sergio@ammirata.net>
> Date: Tue, 3 Aug 2021 13:43:44 +0000
> Subject: [PATCH] Fix setting the correct size for PES packets with too much
>  padding
> 
> ---
>  libavformat/mpegts.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
> index 640c9afa5d..40439c26c0 100644
> --- a/libavformat/mpegts.c
> +++ b/libavformat/mpegts.c
> @@ -1355,7 +1355,7 @@ skip:
>                             buf_size > pes->total_size) {
>                      // pes packet size is < ts size packet and pes data is padded with 0xff
>                      // not sure if this is legal in ts but see issue #2392
> -                    buf_size = pes->total_size;
> +                    buf_size = PES_START_SIZE + pes->total_size - pes->pes_header_size;
>                  }
>                  memcpy(pes->buffer->data + pes->data_index, p, buf_size);
>                  pes->data_index += buf_size;

This causes segfaults

[...]

On Thu, Aug 05, 2021 at 11:08:30PM +0200, Michael Niedermayer wrote:
> On Tue, Aug 03, 2021 at 10:07:34AM -0400, Sergio M. Ammirata, Ph.D. wrote:
> > PES packet with too much padding trigger unlimited error
> > messages "PES packet size mismatch" because the code that
> > corrects the length is wrong.
> > Here is a sample file: http://99.93.62.129/smpte2038.ts
> > PID 300 is the one triggering the errors.
> > I am attaching a patch that fixes the problem.
> > 
> 
> >  mpegts.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 8f8c73a5e78d7c740958054764defa3571979fc4  0001-Fix-setting-the-correct-size-for-PES-packets-with-to.patch
> > From 3a2760d42b38023c73f9a3ab18de01a44526dbc9 Mon Sep 17 00:00:00 2001
> > From: Sergio Ammirata <sergio@ammirata.net>
> > Date: Tue, 3 Aug 2021 13:43:44 +0000
> > Subject: [PATCH] Fix setting the correct size for PES packets with too much
> >  padding
> > 
> > ---
> >  libavformat/mpegts.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
> > index 640c9afa5d..40439c26c0 100644
> > --- a/libavformat/mpegts.c
> > +++ b/libavformat/mpegts.c
> > @@ -1355,7 +1355,7 @@ skip:
> >                             buf_size > pes->total_size) {
> >                      // pes packet size is < ts size packet and pes data is padded with 0xff
> >                      // not sure if this is legal in ts but see issue #2392
> > -                    buf_size = pes->total_size;
> > +                    buf_size = PES_START_SIZE + pes->total_size - pes->pes_header_size;
> >                  }
> >                  memcpy(pes->buffer->data + pes->data_index, p, buf_size);
> >                  pes->data_index += buf_size;
> 
> This causes segfaults

==5552== Invalid write of size 2
==5552==    at 0x4C38753: memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5552==    by 0x62DD54: mpegts_push_data (in ffmpeg_g)
==5552==    by 0x62B832: handle_packet (in ffmpeg_g)
==5552==    by 0x62BCD4: handle_packets (in ffmpeg_g)
==5552==    by 0x62BE11: mpegts_read_packet (in ffmpeg_g)
==5552==    by 0x6BADB9: ff_read_packet (in ffmpeg_g)
==5552==    by 0x6BBAFA: read_frame_internal (in ffmpeg_g)
==5552==    by 0x6C05EC: avformat_find_stream_info (in ffmpeg_g)
==5552==    by 0x2DB175: open_input_file (in ffmpeg_g)
==5552==    by 0x2DEA5B: ffmpeg_parse_options (in ffmpeg_g)
==5552==    by 0x2D3151: main (in ffmpeg_g)
==5552==  Address 0x2d25cb80 is 0 bytes after a block of size 128 alloc'd
==5552==    at 0x4C33E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5552==    by 0x4C33F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5552==    by 0x11166C2: av_malloc (in ffmpeg_g)
==5552==    by 0x1100F65: av_buffer_alloc (in ffmpeg_g)
==5552==    by 0x11017A4: av_buffer_pool_get (in ffmpeg_g)
==5552==    by 0x62E16F: mpegts_push_data (in ffmpeg_g)
==5552==    by 0x62B832: handle_packet (in ffmpeg_g)
==5552==    by 0x62BCD4: handle_packets (in ffmpeg_g)
==5552==    by 0x62BE11: mpegts_read_packet (in ffmpeg_g)
==5552==    by 0x6BADB9: ff_read_packet (in ffmpeg_g)
==5552==    by 0x6BBAFA: read_frame_internal (in ffmpeg_g)
==5552==    by 0x6C05EC: avformat_find_stream_info (in ffmpeg_g)
==5552==    by 0x2DB175: open_input_file (in ffmpeg_g)
==5552==    by 0x2DEA5B: ffmpeg_parse_options (in ffmpeg_g)
==5552==    by 0x2D3151: main (in ffmpeg_g)


[...]

You are right ... the if statement would have to change as
well.
On Tue, 2021-08-03 at 14:20 +0000, 
ffmpegandmahanstreamer@e.email wrote:
> August 3, 2021 10:07 AM, "Sergio M. Ammirata, Ph.D." <
> sergio@ammirata.net> wrote:
> PES packet with too much padding trigger unlimited
> errormessages "PES packet size mismatch" because the code
> thatcorrects the length is wrong.Here is a sample file: 
> http://99.93.62.129/smpte2038.tsPID 300 is the one
> triggering the errors.I am attaching a patch that fixes
> the problem.
> On the if statement right above your change,  are you
> sure that the condition should still be buf_size > pes-
> >total_size? Especially if the old change was just
> buf_size = pes->total_size (so clipping according to
> condition); and the new one is setting it to something
> different. 
> thx for patch.
> _______________________________________________ffmpeg-
> devel mailing listffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> To unsubscribe, visit link above, or emailffmpeg-devel-
> request@ffmpeg.org with subject
> "unsubscribe".___________________________________________
> ____ffmpeg-devel mailing listffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> To unsubscribe, visit link above, or 
> emailffmpeg-devel-request@ffmpeg.org with subject
> "unsubscribe".

Can you share the video file you are using to get the
segfault?
On Thu, 2021-08-05 at 23:10 +0200, Michael Niedermayer
wrote:
> On Thu, Aug 05, 2021 at 11:08:30PM +0200, Michael
> Niedermayer wrote:
> On Tue, Aug 03, 2021 at 10:07:34AM -0400, Sergio M.
> Ammirata, Ph.D. wrote:
> PES packet with too much padding trigger unlimited
> errormessages "PES packet size mismatch" because the code
> thatcorrects the length is wrong.Here is a sample file: 
> http://99.93.62.129/smpte2038.tsPID 300 is the one
> triggering the errors.I am attaching a patch that fixes
> the problem.
> 
>  mpegts.c |    2 +- 1 file changed, 1 insertion(+), 1
> deletion(-
> )8f8c73a5e78d7c740958054764defa3571979fc4  0001-Fix-
> setting-the-correct-size-for-PES-packets-with-
> to.patchFrom 3a2760d42b38023c73f9a3ab18de01a44526dbc9 Mon
> Sep 17 00:00:00 2001From: Sergio Ammirata <
> sergio@ammirata.net>Date: Tue, 3 Aug 2021 13:43:44
> +0000Subject: [PATCH] Fix setting the correct size for
> PES packets with too much padding
> --- libavformat/mpegts.c | 2 +- 1 file changed, 1
> insertion(+), 1 deletion(-)
> diff --git a/libavformat/mpegts.c
> b/libavformat/mpegts.cindex 640c9afa5d..40439c26c0
> 100644--- a/libavformat/mpegts.c+++
> b/libavformat/mpegts.c@@ -1355,7 +1355,7 @@
> skip:                            buf_size > pes-
> >total_size) {                     // pes packet size is
> < ts size packet and pes data is padded with
> 0xff                     // not sure if this is legal in
> ts but see issue #2392-                    buf_size =
> pes->total_size;+                    buf_size =
> PES_START_SIZE + pes->total_size - pes-
> >pes_header_size;                 }                 memcp
> y(pes->buffer->data + pes->data_index, p,
> buf_size);                 pes->data_index += buf_size;
> This causes segfaults
> ==5552== Invalid write of size 2==5552==    at 0x4C38753:
> memmove (in /usr/lib/valgrind/vgpreload_memcheck-amd64-
> linux.so)==5552==    by 0x62DD54: mpegts_push_data (in
> ffmpeg_g)==5552==    by 0x62B832: handle_packet (in
> ffmpeg_g)==5552==    by 0x62BCD4: handle_packets (in
> ffmpeg_g)==5552==    by 0x62BE11: mpegts_read_packet (in
> ffmpeg_g)==5552==    by 0x6BADB9: ff_read_packet (in
> ffmpeg_g)==5552==    by 0x6BBAFA: read_frame_internal (in
> ffmpeg_g)==5552==    by 0x6C05EC:
> avformat_find_stream_info (in ffmpeg_g)==5552==    by
> 0x2DB175: open_input_file (in ffmpeg_g)==5552==    by
> 0x2DEA5B: ffmpeg_parse_options (in
> ffmpeg_g)==5552==    by 0x2D3151: main (in
> ffmpeg_g)==5552==  Address 0x2d25cb80 is 0 bytes after a
> block of size 128 alloc'd==5552==    at 0x4C33E76:
> memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-
> linux.so)==5552==    by 0x4C33F91: posix_memalign (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-
> linux.so)==5552==    by 0x11166C2: av_malloc (in
> ffmpeg_g)==5552==    by 0x1100F65: av_buffer_alloc (in
> ffmpeg_g)==5552==    by 0x11017A4: av_buffer_pool_get (in
> ffmpeg_g)==5552==    by 0x62E16F: mpegts_push_data (in
> ffmpeg_g)==5552==    by 0x62B832: handle_packet (in
> ffmpeg_g)==5552==    by 0x62BCD4: handle_packets (in
> ffmpeg_g)==5552==    by 0x62BE11: mpegts_read_packet (in
> ffmpeg_g)==5552==    by 0x6BADB9: ff_read_packet (in
> ffmpeg_g)==5552==    by 0x6BBAFA: read_frame_internal (in
> ffmpeg_g)==5552==    by 0x6C05EC:
> avformat_find_stream_info (in ffmpeg_g)==5552==    by
> 0x2DB175: open_input_file (in ffmpeg_g)==5552==    by
> 0x2DEA5B: ffmpeg_parse_options (in
> ffmpeg_g)==5552==    by 0x2D3151: main (in ffmpeg_g)
> 
> [...]
> 
> _______________________________________________ffmpeg-
> devel mailing listffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> To unsubscribe, visit link above, or 
> emailffmpeg-devel-request@ffmpeg.org with subject
> "unsubscribe".