[FFmpeg-devel] [PATCH] libavformat aviobuf: Fixed dst pointer initialization in fill_buffer

Tue May 16 23:23:32 EEST 2017

On Tue, May 16, 2017 at 04:17:45PM +0000, Rob Meyers wrote:
> Here's a simple server we used to reproduce the problem:
> 
> #include <fcntl.h>
> #include <stdio.h>
> #include <string.h>
> #include <sys/types.h>
> #include <unistd.h>
> 
> #define INGOING "/tmp/audio.fifo"
> 
> ssize_t write_fifo(int fd, char* msg, int size) {
>   ssize_t write_rc;
> 
>   write_rc = write(fd, msg, size);
>   printf("msg '%s' write_rc = %ld\n", msg, write_rc);
>   if (write_rc != size) {
>     perror("write sent fewer bytes than expected");
>   }
>   if (write_rc == -1) {
>     perror("write error");
>   }
> 
>   return write_rc;
> }
> 
> int main(int argc, char *argv[]) {
>   mkfifo(INGOING, 0666);
> 
>   printf("Welcome to server.\n");
>   printf("channel for reading messages to server is %s\n", INGOING);
> 
>   int in_fd = open(INGOING, O_WRONLY);
>   if (in_fd == -1) {
>     perror("open error");
>     return 1;
>   }
> 
>   int argi = 1;
>   while (argi < argc) {
>     char *msg = argv[argi];
>     int len = strlen(msg);
>     ++argi;
> 
>     write_fifo(in_fd, msg, len);
>     sleep(1);
>   }
> 
>   return 0;
> }
> 
> --
> 
> The command line arguments are sent as individual messages. To demonstrate
> the problem I run with "abcdef ghijkl" as the args. This sends two 6 byte
> messages with a short gap between.
> 
> I run ffmpeg like so:
> ffmpeg -ar 1000 -ac 1 -acodec pcm_s16le -f s16le -probesize 5000000 -i
>  /tmp/audio.fifo -map_metadata -1 -vn -ac:a:0 1 -ar:a:0 1000 -codec:a:0
> pcm_s16le -sn -f s16le -y  -
> 

> Without my patch, you won't see all 12 bytes output, just "kl". My patch
> fixes this.

The patch makes it output all 12 bytes but this is more by luck than
by fixing the issue.

The issue is, well there are at least 2 issues
First the ff_id3v2_read_dict() Tries to read 10 bytes and failing to
find a id3 header seeks back.
This is buggy, it must call ffio_ensure_seekback() before it starts
any reading that it intends to seek back over.

the 2nd issue seems to be that fill_buffer() throws the larger
buffer ffio_ensure_seekback() created out too early.
I didnt investigate this deeply but something goes wrong there

and with ffio_ensure_seekback() and with the downallocation commented
the whole works and returns the 12 bytes

> 
> The buffer is in AVIOContext. The problem with the original code was that
> max_buffer_size is added to the request, to see if it's larger than another
> value that is also max_buffer_size. Like, "if (A + B) < B".

It may be that the buffer size and the maximum packet size are often
the same.  But they are not always the same, for example
ffio_ensure_seekback() makes them different

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Everything should be made as simple as possible, but not simpler.
-- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170516/266d67c5/attachment.sig>