[FFmpeg-devel] [PATCH] avformat/tta: fix crash with corrupted files
Paul B Mahol
onemda at gmail.com
Tue Feb 3 15:40:58 CET 2015
On 2/3/15, wm4 <nfxjfg at googlemail.com> wrote:
> av_add_index_entry() can fail, for example because the parameters are
> invalid, or because memory allocation fails. Check this; it can actually
> happen with corrupted files.
>
> The second hunk is just for robustness. Just in case functions like
> ff_reduce_index() remove entries. (Not sure if this can actually
> happen.)
>
> Fixes ticket #4242.
> ---
> libavformat/tta.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/tta.c b/libavformat/tta.c
> index 7174fd5..d3b3fb0 100644
> --- a/libavformat/tta.c
> +++ b/libavformat/tta.c
> @@ -118,8 +118,10 @@ static int tta_read_header(AVFormatContext *s)
> ffio_init_checksum(s->pb, tta_check_crc, UINT32_MAX);
> for (i = 0; i < c->totalframes; i++) {
> uint32_t size = avio_rl32(s->pb);
> - av_add_index_entry(st, framepos, i * c->frame_size, size, 0,
> - AVINDEX_KEYFRAME);
> + int r;
> + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size,
> 0,
> + AVINDEX_KEYFRAME)) < 0)
> + return r;
> framepos += size;
> }
> crc = ffio_get_checksum(s->pb) ^ UINT32_MAX;
> @@ -153,6 +155,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket
> *pkt)
> if (c->currentframe >= c->totalframes)
> return AVERROR_EOF;
>
> + if (st->nb_index_entries < c->totalframes) {
> + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n");
> + return AVERROR_INVALIDDATA;
> + }
> +
> size = st->index_entries[c->currentframe].size;
>
> ret = av_get_packet(s->pb, pkt, size);
> --
> 2.1.4
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
lgtm
More information about the ffmpeg-devel
mailing list