[FFmpeg-devel] [PATCH 3/4] avformat/mlvdec: fail reading a packet with 0 streams

James Almer jamrial at gmail.com
Sun May 31 16:58:16 EEST 2020


On 5/31/2020 10:50 AM, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes: 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/mlvdec.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> index dae13cae53..03aed71024 100644
> --- a/libavformat/mlvdec.c
> +++ b/libavformat/mlvdec.c
> @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt)
>  {
>      MlvContext *mlv = avctx->priv_data;
>      AVIOContext *pb;
> -    AVStream *st = avctx->streams[mlv->stream_index];
> +    AVStream *st;
>      int index, ret;
>      unsigned int size, space;
>  
> +    if (!avctx->nb_streams)
> +        return AVERROR_EOF;

Shouldn't you abort during read_header() instead if no streams are ever
allocated?

> +
> +    st = avctx->streams[mlv->stream_index];
>      if (mlv->pts >= st->duration)
>          return AVERROR_EOF;
>  
> 



More information about the ffmpeg-devel mailing list