From patchwork Thu Nov 3 15:17:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Derek Buitenhuis X-Patchwork-Id: 39144 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:999a:b0:a4:2148:650a with SMTP id ve26csp607387pzb; Thu, 3 Nov 2022 08:18:00 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4c/qct4nyAzLHFbxVOqlBjfAhbFN3IQ7YnVO9u0sSefxPvsh9u2JfwLpChCvALXaa385SE X-Received: by 2002:a17:906:9b8e:b0:791:8f57:6845 with SMTP id dd14-20020a1709069b8e00b007918f576845mr30360678ejc.174.1667488680515; Thu, 03 Nov 2022 08:18:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667488680; cv=none; d=google.com; s=arc-20160816; b=Yvjch2iCy1c0pwhsOTX9JpJ/E8NTAg7CjHyWST82SMKmpHguJNGNixebuM0Wc9haaC HxiE/2hLkTnNgkRx48u2wn1K+aSpse5w2XC4s9KG7kKHvEAeUgXlvTTR47qPN16ieJkW G6B0GFTHSef+moKi79mv/04Y3hvtVBBpYx3UHVQe4Dw6bhDCnZkBrypqf8KXJBs/iT0J 66iHWCuXgArb/sPvrXO/roQpvX9gUOxhCc1sfz14dbACmRpDaNKYgsGGtS5t5SkLCoYE XL5L5RdZ3KUjc9zKRdmFp6XJrPfklzZhpl3sztDkzJvKVrtfkpz8cEeIqjmV4p0Gv72M pndw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=KdcL7982op7a6bojBKveQy9A9bsLfMnQnkYNxtvfOKQ=; b=zOMEQnYe33fjHFUp32CoUhCp7b8WmvuOb8FL2J6k+Tt1v68HA95F6jA9DKBGBhP83u dSu1m77x70n98PjUIeD0d/ZQVPwGa5nTU3PnVdemc2RG52HJ8x0503M5eEHAIMPFf8Gm 20fBjDN+Vu74+1tcRdlv7KE7lQkTm8L3cBFiZVaJl2Mx1mgszDjbvbpmnkJz05m0srVr iiirzozrBp96vGgDGii+heFpFzdyDpwU52oYP6w8drnVIlJaUCYSry7EWOHzeqxjVb85 MTBAvWfZbR4e+Rv5kSFR9EBJ1tQ6jWpMSwX0fbGJrce8G7APP/PsBO6gy91/Elcjoqx2 SnxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=cS4uUrnh; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id k23-20020a05640212d700b004599ae68f98si1427645edx.136.2022.11.03.08.17.59; Thu, 03 Nov 2022 08:18:00 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=cS4uUrnh; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EB85568BE00; Thu, 3 Nov 2022 17:17:56 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A086F68BF5C for ; Thu, 3 Nov 2022 17:17:49 +0200 (EET) Received: by mail-wr1-f48.google.com with SMTP id v1so3234627wrt.11 for ; Thu, 03 Nov 2022 08:17:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=DzMcYR1CwxzGL+yJvb+b6WkhvJ0RciIblCLZkfvbh/s=; b=cS4uUrnhPyONQWtQPvl3NuhrqxOgThBzBk8xb2rsE4vdN/43DPd3qtrAJHuqqLipSy 4R71pL+XwbAq1KrbXLRBEtyFP4QZHHikCsBigTVkuV0lm7qCg6V2F0O1O2EqqC3kozcS maZ4avzglhoE+Yep/L7Kq0gQvPbLH0yD4mPmmQmQRgA5GTw5VevtirYMumnbz4W3jEQa A/gIYg5brKB+cxAlYvdnE8Mpl0MEVtpG3ELKfO/EiGKmnkZOTvtC8P60dbGUh+wg/0GA DcaOzHKeg51Whid66Ww6yp8kUlxxi3ID/n8V3z+n7fMiOu1rlq23/lc272X1HHLevYWA Su3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DzMcYR1CwxzGL+yJvb+b6WkhvJ0RciIblCLZkfvbh/s=; b=QYmslJygYtjW1yf4UxBPYpks6uLkGt4oPcHhEsiPTKpPEwoRsPJocxdKojvYPk6fVw q4ysfuJJY7yd9V9KJgxde4yO+VxQJ8GSoS0cR4c8SLf+L8g2oCqFUTviaYAXtGwk6Ce/ rxpZtN2hTsBsefFx2m6q8bsMh1CatLcEDEHBvb2+kS/aaNfqHJyck+nE5gPt9jM6qvt4 ZnAjnxysrF5H/JcAzxPwECT0mGwvVpu1yj9FFvvfDfEA3eR87XP8GirwSIPdoOVKoNu0 YrIr7DRi7zzPa7Z7xesY9NS2KXFWI/nRf/CcEEbZnHswYLMLFNd0HNrjc6F9AASTmfCR tq/A== X-Gm-Message-State: ACrzQf167cly6Nz9C9zV4byQhp1u9C4G9KGl7DprXR6/q1BJtvbuUE4F mNBMkdOUU4VCVF0JYcf6gtkOE7LYrIc= X-Received: by 2002:adf:f9cf:0:b0:236:6a26:c055 with SMTP id w15-20020adff9cf000000b002366a26c055mr19314183wrr.195.1667488668591; Thu, 03 Nov 2022 08:17:48 -0700 (PDT) Received: from localhost.localdomain ([149.12.15.18]) by smtp.gmail.com with ESMTPSA id x17-20020a1c7c11000000b003a3170a7af9sm233195wmc.4.2022.11.03.08.17.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Nov 2022 08:17:47 -0700 (PDT) From: Derek Buitenhuis To: ffmpeg-devel@ffmpeg.org Date: Thu, 3 Nov 2022 15:17:38 +0000 Message-Id: <20221103151738.28002-1-derek.buitenhuis@gmail.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] fftools/ffprobe: Loop over correct number of streams when flushing decoders X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: OCcTG3wWFuk1 Some formats like FLV can dynamically add streams during packet reading. FFprobe does check for this an reallocate the global stream info, but does not reallocate InputFrame's streams and decoders when this happens, which, as a result, could have caused flushing to occur on an out of bounds stream index, since the flush loop iterates over fmt_ctx's nb_streams, an not ifiles, despite using ifile's streams. This fixes an out of bounds read and segfult. Signed-off-by: Derek Buitenhuis --- Sample file: https://www.dropbox.com/s/ocu1ta6xzw8j6e7/dynamic_stream_segfault.flv?dl=0 Repro commands: 1. ffprobe -select_streams 1 -read_intervals '%+#60' -show_frames dynamic_stream_segfault.flv 2. ffprobe -select_streams 1 -show_frames dynamic_stream_segfault.flv --- fftools/ffprobe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/ffprobe.c b/fftools/ffprobe.c index 9b7e82fd8c..99adf615ae 100644 --- a/fftools/ffprobe.c +++ b/fftools/ffprobe.c @@ -2893,7 +2893,7 @@ static int read_interval_packets(WriterContext *w, InputFile *ifile, } av_packet_unref(pkt); //Flush remaining frames that are cached in the decoder - for (i = 0; i < fmt_ctx->nb_streams; i++) { + for (i = 0; i < ifile->nb_streams; i++) { pkt->stream_index = i; if (do_read_frames) { while (process_frame(w, ifile, frame, pkt, &(int){1}) > 0);