[FFmpeg-devel] [PATCH] libavformat/utils: Fix segfault on m4a cover artwork parsing

Lazaros Koromilas lostd at 2f30.org
Wed May 28 16:35:10 CEST 2014


On Wed, May 28, 2014 at 03:48:25AM +0200, Michael Niedermayer wrote:
> On Tue, May 27, 2014 at 02:38:44PM +0300, Lazaros Koromilas wrote:
> > Hello list,
> > 
> > I came across this bug when my MPD choked on some iTunes files while updating
> > its database.  Turns out that I had a few m4a files with zero-length cover
> > artwork tags that triggered this.  I've uploaded to the ftp server a sample
> > created from scratch with ffmpeg and TagLib under the name
> > segfault_avformat_cover_art.{m4a,txt}.  The diff at the end avoids the crash,
> > but I don't know if the return code is appropriate.  Maybe you want to simply
> > ignore those cases?  Including valgring output also.  I'm not on the list,
> > so please reply in person for anything else.
> 
> patch applied
> 
> thanks
> 
> [...]

Hello again, I wasn't happy with the fix and did a little more
testing.  This diff lets you extract other streams if needed.  For
example in my case I can obtain a clean file with:

ffmpeg -i segfault_avformat_cover_art.m4a -acodec copy -map 0:0 out.m4a

Thanks,
Lazaros.
-------------- next part --------------
>From 06198f33915dd7264322ea13e996571962a00760 Mon Sep 17 00:00:00 2001
From: Lazaros Koromilas <lostd at 2f30.org>
Date: Wed, 28 May 2014 16:31:03 +0300
Subject: [PATCH] libavformat/utils: Warning about invalid cover art instead of
 an error

This way other streams can still be used with the -map option.
---
 libavformat/utils.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 3576279..d8f1363 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -517,8 +517,12 @@ int avformat_queue_attached_pictures(AVFormatContext *s)
         if (s->streams[i]->disposition & AV_DISPOSITION_ATTACHED_PIC &&
             s->streams[i]->discard < AVDISCARD_ALL) {
             AVPacket copy = s->streams[i]->attached_pic;
-            if (copy.size <= 0)
-                return AVERROR(EINVAL);
+            if (copy.size <= 0) {
+                av_log(s, AV_LOG_WARNING,
+                    "Attached picture on stream %d has invalid size, "
+                    "ignoring\n", i);
+                continue;
+            }
             copy.buf = av_buffer_ref(copy.buf);
             if (!copy.buf)
                 return AVERROR(ENOMEM);
-- 
1.9.2



More information about the ffmpeg-devel mailing list