[FFmpeg-devel] [PATCH 1/4] avformat/asfdec_o: Don't segfault with lots of attached pics
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Sun Nov 15 07:51:05 EET 2020
Andreas Rheinhardt:
> The ASF file format has a limit of 127 streams and the "asf_o" demuxer
> (the ASF demuxer from Libav) has an array of pointers for a structure
> called ASFStream that is allocated on demand for every stream. Attached
> pictures are not streams in the sense of the ASF specification, yet the
> demuxer created an ASFStream for them; and in one codepath it also
> forgot to check whether the array of ASFStreams is already full. The
> result is a write beyond the end of the array and a segfault lateron.
>
> Fixing this is easy: Don't create ASFStreams for attached picture
> streams.
>
> (Other results of the current state of affairs are unnecessary allocations
> (of ASFStreams structures), the misparsing of valid files (there might not
> be enough ASFStreams left for the valid streams if attached pictures take
> up too many); furthermore, the ASFStreams created for attached pictures all
> have the stream number 0, an invalid stream number (the valid range is
> 1-127). This means that invalid data (packets for a stream with stream
> number 0) won't get rejected lateron.)
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---
> libavformat/asfdec_o.c | 14 ++------------
> 1 file changed, 2 insertions(+), 12 deletions(-)
>
> diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
> index b142f83541..0a7e47d8cc 100644
> --- a/libavformat/asfdec_o.c
> +++ b/libavformat/asfdec_o.c
> @@ -357,7 +357,6 @@ static int asf_set_metadata(AVFormatContext *s, const uint8_t *name,
> * but in reality this is only loosely similar */
> static int asf_read_picture(AVFormatContext *s, int len)
> {
> - ASFContext *asf = s->priv_data;
> AVPacket pkt = { 0 };
> const CodecMime *mime = ff_id3v2_mime_tags;
> enum AVCodecID id = AV_CODEC_ID_NONE;
> @@ -365,7 +364,6 @@ static int asf_read_picture(AVFormatContext *s, int len)
> uint8_t *desc = NULL;
> AVStream *st = NULL;
> int ret, type, picsize, desc_len;
> - ASFStream *asf_st;
>
> /* type + picsize + mime + desc */
> if (len < 1 + 4 + 2 + 2) {
> @@ -422,22 +420,14 @@ static int asf_read_picture(AVFormatContext *s, int len)
> ret = AVERROR(ENOMEM);
> goto fail;
> }
> - asf->asf_st[asf->nb_streams] = av_mallocz(sizeof(*asf_st));
> - asf_st = asf->asf_st[asf->nb_streams];
> - if (!asf_st) {
> - ret = AVERROR(ENOMEM);
> - goto fail;
> - }
>
> st->disposition |= AV_DISPOSITION_ATTACHED_PIC;
> - st->codecpar->codec_type = asf_st->type = AVMEDIA_TYPE_VIDEO;
> + st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
> st->codecpar->codec_id = id;
> st->attached_pic = pkt;
> - st->attached_pic.stream_index = asf_st->index = st->index;
> + st->attached_pic.stream_index = st->index;
> st->attached_pic.flags |= AV_PKT_FLAG_KEY;
>
> - asf->nb_streams++;
> -
> if (*desc) {
> if (av_dict_set(&st->metadata, "title", desc, AV_DICT_DONT_STRDUP_VAL) < 0)
> av_log(s, AV_LOG_WARNING, "av_dict_set failed.\n");
>
Will apply this patchset later today unless there are objections.
- Andreas
More information about the ffmpeg-devel
mailing list