[FFmpeg-devel] [PATCH] mov: only read e_old if there were any old streams

Sasi Inguva isasi at google.com
Mon Oct 31 20:20:18 EET 2016


First of all, if nb_old == 0 i.e. there are no entries in AVIndex, then
there is no point in calling mov_fix_index function at all. So instead of
doing the above , you can directly check for st->nb_index_entries > 0 at
the top of mov_fix_index and return otherwise.

Also, I don't understand how nb_old==0 can cause heap overflow. If I read
the code correctly, if nb_old==0  find_prev_closest_keyframe_index , should
return -1, which would make the function skip that edit list here

        if (index
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavformat/mov.c?l=2968&ct=xref_jump_to_def&cl=GROK&gsn=index>
== -1) {            av_log
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavutil/log.h?l=234&ct=xref_jump_to_def&cl=GROK&gsn=av_log>(mov
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavformat/mov.c?l=2949&ct=xref_jump_to_def&cl=GROK&gsn=mov>->fc
<https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavformat/isom.h?l=196&ct=xref_jump_to_def&cl=GROK&gsn=fc>,
AV_LOG_ERROR <https://cs.corp.google.com/piper///depot/google3/third_party/ffmpeg/src/libavutil/log.h?l=176&ct=xref_jump_to_def&cl=GROK&gsn=AV_LOG_ERROR>,
"Missing key frame while reordering index according to edit list\n");
          continue;        }


On Sun, Oct 30, 2016 at 12:11 PM, Andreas Cadhalpun <
andreas.cadhalpun at googlemail.com> wrote:

> This fixes a heap buffer overflow.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
>  libavformat/mov.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 357d800..95b546e 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -3028,7 +3028,7 @@ static void mov_fix_index(MOVContext *mov, AVStream
> *st)
>              // Audio decoders like AAC need need a decoder delay samples
> previous to the current sample,
>              // to correctly decode this frame. Hence for audio we seek to
> a frame 1 sec. before the
>              // edit_list_media_time to cover the decoder delay.
> -            search_timestamp = FFMAX(search_timestamp - mov->time_scale,
> e_old[0].timestamp);
> +            search_timestamp = FFMAX(search_timestamp - mov->time_scale,
> nb_old ? e_old[0].timestamp : INT64_MIN);
>          }
>
>          index = find_prev_closest_keyframe_index(st, e_old, nb_old,
> search_timestamp, 0);
> --
> 2.10.1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>


More information about the ffmpeg-devel mailing list