[FFmpeg-cvslog] lavf/mov: ensure only one tkhd per trak

chcunningham git at videolan.org
Thu Mar 28 18:32:47 EET 2019


ffmpeg | branch: release/3.4 | chcunningham <chcunningham at chromium.org> | Thu Dec 13 13:58:40 2018 -0800| [cb901e183608b58b6ed9aea0f11c77b20967fe0e] | committer: Michael Niedermayer

lavf/mov: ensure only one tkhd per trak

Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.

Reviewed-by: Baptiste Coudurier <baptiste.coudurier at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb901e183608b58b6ed9aea0f11c77b20967fe0e
---

 libavformat/mov.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2328b8f445..6e954dd444 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3805,7 +3805,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 
     st = avformat_new_stream(c->fc, NULL);
     if (!st) return AVERROR(ENOMEM);
-    st->id = c->fc->nb_streams;
+    st->id = -1;
     sc = av_mallocz(sizeof(MOVStreamContext));
     if (!sc) return AVERROR(ENOMEM);
 
@@ -4087,6 +4087,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     st = c->fc->streams[c->fc->nb_streams-1];
     sc = st->priv_data;
 
+    // Each stream (trak) should have exactly 1 tkhd. This catches bad files and
+    // avoids corrupting AVStreams mapped to an earlier tkhd.
+    if (st->id != -1)
+        return AVERROR_INVALIDDATA;
+
     version = avio_r8(pb);
     flags = avio_rb24(pb);
     st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0;



More information about the ffmpeg-cvslog mailing list