[FFmpeg-devel] [PATCH 11/12] avformat/nutenc: Don't segfault when chapters are added during muxing

Andreas Rheinhardt andreas.rheinhardt at gmail.com
Tue May 5 17:16:56 EEST 2020


When writing the header, the NUT muxer allocates an array with as many
entries as there are chapters containing information about the used
timebase. This information is used when writing the headers and also
when resending the headers (as the NUT muxer does from time to time).

When the NUT muxer writes or resends the headers, it simply presumes
that there are enough entries in its array for each chapter in the
AVFormatContext. Yet users are allowed to add chapters during the muxing
process, so this presumption is wrong and may lead to segfaults.

So explicitly store the number of entries of the chapter array and refer
to this number whenever headers are written.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
---
This patch presumes that the user may not change or remove the chapters
available during writing the header (if there were chapters available
when writing the header at all). I hope this is ok.

 libavformat/nut.h    | 1 +
 libavformat/nutenc.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/nut.h b/libavformat/nut.h
index a4409ee23d..52225fed93 100644
--- a/libavformat/nut.h
+++ b/libavformat/nut.h
@@ -115,6 +115,7 @@ typedef struct NUTContext {
     int flags;
     int version; // version currently in use
     int minor_version;
+    unsigned nb_chapters;
 } NUTContext;
 
 extern const AVCodecTag ff_nut_subtitle_tags[];
diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c
index 5071278835..2d35c44b79 100644
--- a/libavformat/nutenc.c
+++ b/libavformat/nutenc.c
@@ -675,7 +675,7 @@ static int write_headers(AVFormatContext *avctx, AVIOContext *bc)
             goto fail;
     }
 
-    for (i = 0; i < nut->avf->nb_chapters; i++) {
+    for (i = 0; i < nut->nb_chapters; i++) {
         write_chapter(nut, dyn_bc, i, prelude, &prelude_size);
         ret = put_packet(nut, bc, dyn_bc, prelude, prelude_size, INFO_STARTCODE);
         if (ret < 0)
@@ -719,6 +719,7 @@ static int nut_write_header(AVFormatContext *s)
         nut->chapter = av_calloc(s->nb_chapters, sizeof(*nut->chapter));
         if (!nut->chapter)
             return AVERROR(ENOMEM);
+        nut->nb_chapters = s->nb_chapters;
     }
 
     for (i = 0; i < s->nb_streams; i++) {
-- 
2.20.1



More information about the ffmpeg-devel mailing list