[FFmpeg-devel] [PATCH] avformat/mxfdec: Fix false positive in infinite loop detector
tomas.hardin at codemill.se
tomas.hardin at codemill.se
Mon Oct 27 16:52:26 CET 2014
On 2014-10-27 16:27, Michael Niedermayer wrote:
> Fixes Ticket4040
>
> Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> ---
> libavformat/mxfdec.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index b01dd0c..a1abc34 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -2211,6 +2211,13 @@ end:
> avio_seek(s->pb, mxf->run_in, SEEK_SET);
> }
>
> +static uint64_t loop_detection_state(AVFormatContext *s)
> +{
> + MXFContext *mxf = s->priv_data;
> +
> + return avio_tell(s->pb) + 0xA987654321*!mxf->current_partition;
> +}
> +
What the hell? Just use a flag or something, or mxf->parsing_backward
(preferably)
> static int mxf_read_header(AVFormatContext *s)
> {
> MXFContext *mxf = s->priv_data;
> @@ -2235,12 +2242,12 @@ static int mxf_read_header(AVFormatContext *s)
>
> while (!avio_feof(s->pb)) {
> const MXFMetadataReadTableEntry *metadata;
> - if (avio_tell(s->pb) == last_pos) {
> + if (loop_detection_state(s) == last_pos) {
> av_log(mxf->fc, AV_LOG_ERROR, "MXF structure loop
> detected\n");
> return AVERROR_INVALIDDATA;
> }
> if ((1ULL<<61) % last_pos_index++ == 0)
This looks extremely dubious, but I see 1c010fd03 was a stop gap to fix
a an issue discovered by fuzzing. Why didn't anyone poke my on IRC about
it?
I have furniture to move today, after that I might have some time to
develop an non-awful fix.
/Tomas
More information about the ffmpeg-devel
mailing list