[FFmpeg-devel] [PATCH] fix crash in realmedia demuxer

[Jai Menon]

Hi,

On Tue, Dec 23, 2008 at 6:19 PM, Ronald S. Bultje <rsbultje at gmail.com> wrote:
> Hi,
>
> On Tue, Dec 23, 2008 at 5:31 AM, Jai Menon <jmenon86 at gmail.com> wrote:
>> The segfault is observed when sub packet size is zero. I have
>> absolutely no clue what that field is supposed
>> to be so I dunno if it can be applied as is. maybe rmdec.c maintainer knows?
>> anyway, attached patch "fixes" the issue.
>
> In rm_read_audio_stream_info():
>
>            if(sub_packet_size <= 0){
>                av_log(s, AV_LOG_ERROR, "sub_packet_size is invalid\n");
>                return -1;
>            }
>
> I assume you removed that check and didn't send a patch for it (or did
> I miss it?)?

I don't know if I understood you correctly but I didn't remove any
checks. The sample
crashes with rmdec.c from svn head. I didn't explore further so don't
know why that
that check has no effect. From a brief glance, it seems that validity
of sub_packet_size
is not checked when the desc field is "dnet", that is AC3 streams. So
sub_packet_size is zero
when parsing this packet and when the demuxer comes across a cook
audio packet it blows up.
Anyway, you might want to come up with a better analysis :-)

> In any case, I've seen the samples and thanks for looking at it, I was
> intending to do that at some point. :-).

And not to mention a majority of stuff from that list is in an rm container ;-)

> Ronald

-- 
Regards,

Jai