[FFmpeg-devel] [PATCH] avformat/tta: fix crash with corrupted files
Michael Niedermayer
michaelni at gmx.at
Tue Feb 3 16:01:53 CET 2015
On Tue, Feb 03, 2015 at 02:40:58PM +0000, Paul B Mahol wrote:
> On 2/3/15, wm4 <nfxjfg at googlemail.com> wrote:
> > av_add_index_entry() can fail, for example because the parameters are
> > invalid, or because memory allocation fails. Check this; it can actually
> > happen with corrupted files.
> >
> > The second hunk is just for robustness. Just in case functions like
> > ff_reduce_index() remove entries. (Not sure if this can actually
> > happen.)
> >
> > Fixes ticket #4242.
> > ---
> > libavformat/tta.c | 11 +++++++++--
> > 1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavformat/tta.c b/libavformat/tta.c
> > index 7174fd5..d3b3fb0 100644
> > --- a/libavformat/tta.c
> > +++ b/libavformat/tta.c
> > @@ -118,8 +118,10 @@ static int tta_read_header(AVFormatContext *s)
> > ffio_init_checksum(s->pb, tta_check_crc, UINT32_MAX);
> > for (i = 0; i < c->totalframes; i++) {
> > uint32_t size = avio_rl32(s->pb);
> > - av_add_index_entry(st, framepos, i * c->frame_size, size, 0,
> > - AVINDEX_KEYFRAME);
> > + int r;
> > + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size,
> > 0,
> > + AVINDEX_KEYFRAME)) < 0)
> > + return r;
> > framepos += size;
> > }
> > crc = ffio_get_checksum(s->pb) ^ UINT32_MAX;
> > @@ -153,6 +155,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket
> > *pkt)
> > if (c->currentframe >= c->totalframes)
> > return AVERROR_EOF;
> >
> > + if (st->nb_index_entries < c->totalframes) {
> > + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n");
> > + return AVERROR_INVALIDDATA;
> > + }
> > +
> > size = st->index_entries[c->currentframe].size;
> >
> > ret = av_get_packet(s->pb, pkt, size);
> > --
> > 2.1.4
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel at ffmpeg.org
> > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
>
> lgtm
applied with teh correct ticket number
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150203/db16246d/attachment.asc>
More information about the ffmpeg-devel
mailing list