[FFmpeg-devel] [PATCH 1/6] Refactor the 'fmt ' tag search and parsing

Ronald S. Bultje rsbultje
Mon Mar 7 18:17:50 CET 2011


Hi,

On Fri, Mar 4, 2011 at 3:21 AM, Tomas H?rdin <tomas.hardin at codemill.se> wrote:
> diff --git a/libavformat/wav.c b/libavformat/wav.c
[..]
> +static int wav_parse_fmt_tag(AVFormatContext *s, int64_t size, AVStream **st)
[..]
> +    *st = av_new_stream(s, 0);
> +    if (!*st)
> +        return AVERROR(ENOMEM);
> +
> +    ff_get_wav_header(pb, (*st)->codec, size);
> +    (*st)->need_parsing = AVSTREAM_PARSE_FULL;
> +
> +    av_set_pts_info(*st, 64, 1, (*st)->codec->sample_rate);
[..]
> +        next_tag_ofs = url_ftell(pb) + size;
> +
> +        if (tag == MKTAG('f', 'm', 't', ' ')) {
> +            if ((ret = wav_parse_fmt_tag(s, size, &st) < 0))
> +                return ret;
> +
> +            got_fmt = 1;

A security-type concern here (not really, but please let me elaborate)
is that you here allow "broken" files with multiple fmt chunks to set
up multiple AVStreams, which would never contain data and thus hang
for a long time in av_find_stream_info(). Probably a second fmt chunk
should be ignored/skipped.

Ronald



More information about the ffmpeg-devel mailing list