[FFmpeg-devel] [PATCH V2] libavformat/flacenc: reject too big picture blocks

[Michael Niedermayer]

On Tue, Oct 29, 2019 at 02:42:47PM +0100, Mattias Wadman wrote:
> A too big picture will case the muxer to write a truncated block size (uint24)
> causing the output file to be corrupt.
> 
> How to reproduce:
> 
> Write a file with truncated block size:
> ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map
> 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac
> 
> Try to decode:
> ffmpeg -i test.flac test.wav
> 
> Signed-off-by: Mattias Wadman <mattias.wadman at gmail.com>
> ---
>  libavformat/flacenc.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c
> index 93cc79bbe0..7b51c11404 100644
> --- a/libavformat/flacenc.c
> +++ b/libavformat/flacenc.c
> @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext
> *s, AVPacket *pkt)
>      AVDictionaryEntry *e;
>      const char *mimetype = NULL, *desc = "";
>      const AVStream *st = s->streams[pkt->stream_index];
> -    int i, mimelen, desclen, type = 0;
> +    int i, mimelen, desclen, type = 0, blocklen;
> 
>      if (!pkt->data)
>          return 0;
> @@ -140,8 +140,14 @@ static int flac_write_picture(struct
> AVFormatContext *s, AVPacket *pkt)
>          desc = e->value;

Applying: libavformat/flacenc: reject too big picture blocks
error: corrupt patch at line 10

probably line/word wrap

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you fake or manipulate statistics in a paper in physics you will never
get a job again.
If you fake or manipulate statistics in a paper in medicin you will get
a job for life at the pharma industry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191030/b49ed605/attachment.sig>