[FFmpeg-devel] [PATCH 5/5] avformat/oggdec: Disable mid stream codec changes

Sat Jun 13 14:23:45 EEST 2020

The code crashes and neither the authors nor anyone else did fix this
We cannot release code which crashes, so if noone fixes it, the only
option left is to disable or revert. Revert is difficult as there are
multiple commits afterwards

Fixes: 22082/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5688619118624768
Fixes: crash from V-codecs/Theora/theora_testsuite_broken/multi2.ogg

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavformat/oggdec.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 9eb45499c6..1f3ed8024c 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -229,6 +229,15 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, char *magic,
     /* We only have a single stream anyway, so if there's a new stream with
      * a different codec just replace it */
     os = &ogg->streams[0];
+    if (os->codec != codec) {
+        /*
+         * The codec change code from 8296443a70f052a6f5c9a867d28b83a5eb7d304d and surounding commits
+         * crashes with out of array accesses
+         * testcase is https://samples.ffmpeg.org/V-codecs/Theora/theora_testsuite_broken/multi2.ogg
+         */
+        return AVERROR_PATCHWELCOME;
+    }
+
     os->serial  = serial;
     os->codec   = codec;
     os->serial  = serial;
-- 
2.17.1

