[FFmpeg-devel] [PATCH] ffm: reject a negative codec_id

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Tue Dec 15 00:03:22 CET 2015


A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.

This can cause NULL pointer dereferencing in try_decode_frame.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavformat/ffmdec.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index afba905..ebf0ffd 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -330,6 +330,12 @@ static int ffm2_read_header(AVFormatContext *s)
             codec = st->codec;
             /* generic info */
             codec->codec_id = avio_rb32(pb);
+            if ((int)codec->codec_id < 0) {
+                av_log(s, AV_LOG_ERROR, "Codec id is negative: %d\n",
+                       codec->codec_id);
+                codec->codec_id = AV_CODEC_ID_NONE;
+                goto fail;
+            }
             codec->codec_type = avio_r8(pb);
             codec->bit_rate = avio_rb32(pb);
             codec->flags = avio_rb32(pb);
@@ -516,6 +522,12 @@ static int ffm_read_header(AVFormatContext *s)
         codec = st->codec;
         /* generic info */
         codec->codec_id = avio_rb32(pb);
+        if ((int)codec->codec_id < 0) {
+            av_log(s, AV_LOG_ERROR, "Codec id is negative: %d\n",
+                   codec->codec_id);
+            codec->codec_id = AV_CODEC_ID_NONE;
+            goto fail;
+        }
         codec->codec_type = avio_r8(pb); /* codec_type */
         codec->bit_rate = avio_rb32(pb);
         codec->flags = avio_rb32(pb);
-- 
2.6.2


More information about the ffmpeg-devel mailing list