[FFmpeg-devel] [PATCH] avformat/adxdec: check avctx->channels for invalid values

Michael Niedermayer michaelni at gmx.at
Thu Feb 26 12:36:09 CET 2015


On Thu, Feb 26, 2015 at 01:27:34AM +0100, Andreas Cadhalpun wrote:
> On 26.02.2015 00:24, Michael Niedermayer wrote:
> >On Wed, Feb 25, 2015 at 11:48:33PM +0100, Andreas Cadhalpun wrote:
> >>Hi,
> >>
> >>if avctx->channels is 0 in adx_read_packet, size gets set to 0,
> >>av_get_packet sets pkt->data to NULL and then AV_RB16(pkt->data)
> >>results in a null pointer dereference.
> >>
> >>Attached patch fixes this.
> >>
> >>Best regards,
> >>Andreas
> >
> >>  adxdec.c |    5 +++++
> >>  1 file changed, 5 insertions(+)
> >>7312e6a3be1771c83eac72784496c6fc4692d954  0001-avformat-adxdec-check-avctx-channels-for-invalid-val.patch
> >> From 2578976a0a9eec03d168f393795119fd274ee81f Mon Sep 17 00:00:00 2001
> >>From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >>Date: Wed, 25 Feb 2015 22:55:44 +0100
> >>Subject: [PATCH] avformat/adxdec: check avctx->channels for invalid values
> >>
> >>This avoids a null pointer dereference of pkt->data.
> >>
> >>Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >>---
> >>  libavformat/adxdec.c | 5 +++++
> >>  1 file changed, 5 insertions(+)
> >>
> >>diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c
> >>index ddaa201..24a8a1f 100644
> >>--- a/libavformat/adxdec.c
> >>+++ b/libavformat/adxdec.c
> >>@@ -40,6 +40,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt)
> >>      AVCodecContext *avctx = s->streams[0]->codec;
> >>      int ret, size;
> >>
> >>+    if (avctx->channels <= 0) {
> >>+        av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels);
> >>+        return AVERROR_INVALIDDATA;
> >>+    }
> >
> >the demuxer should extract the channel value in adx_read_header()
> >and check it there. (if it needs the channels, which it does currently)
> >
> >its not good for demuxing to depend on a decoder/parser setting this
> >value between reading the file header and before demuxing the first
> >packet
> 
> You're right about that. Attached is a patch for this.
> 
> However it might still be a good idea to apply above patch, because
> the decoder/parser could set avctx->channels to 0, even if the
> demuxer has set it to something positive.

ok, applied both

thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150226/16a3a09b/attachment.asc>


More information about the ffmpeg-devel mailing list