[FFmpeg-devel] [PATCH] libavformat/flacdec: Workaround for truncated metadata picture size
Mattias Wadman
mattias.wadman at gmail.com
Wed Apr 22 18:30:14 EEST 2020
On Wed, Apr 22, 2020 at 5:18 PM Andreas Rheinhardt
<andreas.rheinhardt at gmail.com> wrote:
>
> Mattias Wadman:
> > lavf flacenc could previously write truncated metadata picture size if
> > the picture data did not fit in 24 bits. Detect this by truncting the
> > size found inside the picture block and if it matches the block size
> > use it and read rest of picture data.
> >
> > flacenc was fixed in e447a4d112bcfee10126c54eb4481fa8712957c8
> > ---
> > libavformat/flac_picture.c | 23 +++++++++++++++++++++--
> > 1 file changed, 21 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c
> > index 81ddf80465..17be497f95 100644
> > --- a/libavformat/flac_picture.c
> > +++ b/libavformat/flac_picture.c
> > @@ -32,11 +32,12 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
> > const CodecMime *mime = ff_id3v2_mime_tags;
> > enum AVCodecID id = AV_CODEC_ID_NONE;
> > AVBufferRef *data = NULL;
> > - uint8_t mimetype[64], *desc = NULL;
> > + uint8_t mimetype[64], *desc = NULL, *picturebuf = NULL;
> > GetByteContext g;
> > AVStream *st;
> > int width, height, ret = 0;
> > - unsigned int len, type;
> > + unsigned int type;
> > + uint32_t len, left, lendiff;
> >
> > if (buf_size < 34) {
> > av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
> > @@ -114,6 +115,23 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
> >
> > /* picture data */
> > len = bytestream2_get_be32u(&g);
> > +
> > + // Workaround lavf flacenc bug that allowed writing truncated metadata picture block size if
> > + // picture size did not fit in 24 bits
> > + left = bytestream2_get_bytes_left(&g);
> > + if (len > left && (len & 0xffffff) == left) {
> > + av_log(s, AV_LOG_INFO, "Correcting truncated metadata picture size from %d to %d\n", left, len);
> > +
> > + picturebuf = av_malloc(len);
> > + if (!picturebuf)
> > + RETURN_ERROR(AVERROR(ENOMEM));
> > + lendiff = len - left;
> > + bytestream2_get_buffer(&g, picturebuf, left);
> > + if (avio_read(s->pb, picturebuf+left, lendiff) < lendiff)
> > + RETURN_ERROR(AVERROR_INVALIDDATA);
> > + bytestream2_init(&g, picturebuf, len);
> > + }
> > +
> > if (len <= 0 || len > bytestream2_get_bytes_left(&g)) {
> > av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
> > if (s->error_recognition & AV_EF_EXPLODE)
> > @@ -155,6 +173,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
> > fail:
> > av_buffer_unref(&data);
> > av_freep(&desc);
> > + av_freep(&picturebuf);
> >
> > return ret;
> > }
> >
> 1. This fixes ticket 6333 (you will now no longer run into the flac
> parser bug), doesn't it? If so, you should mention it.
Yes this patch should fixat that. Didn't know there was a ticket, will
mention it.
> 2. ff_flac_parse_picture() is called from two places: The flac demuxer
> as well as the vorbis-in-ogg demuxer. In the latter case the picture
> data is base64-encoded and reading anything via the AVIOContext is a
> very bad idea (ff_vorbis_comment() is for e.g. used to parse
> VorbisComments contained in the CodecPrivate of FLAC tracks (for channel
> masks) and if such a CodecPrivate also contained an embedded picture
> that happens to trigger this scenario, you would read more data
> believing it comes from immediately after the buffer you have received,
> but that is just not true). You need to add a parameter to distinguish
> these cases.
Ok will look into that. Thanks for the speedy review!
-Mattias
>
> - Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list