virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-07-11 14:30:22 +02:00
Code Issues Releases Activity

lavf/mov: ensure only one tkhd per trak

Browse Source 
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.

Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9f7b6f7a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
chcunningham
2018-12-13 13:58:40 -08:00
committed by Michael Niedermayer
parent 04fe02bd80
commit cb901e1836
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/mov.c
View File

@ -3805,7 +3805,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = avformat_new_stream(c->fc, NULL);
if (!st) return AVERROR(ENOMEM);
st->id = c->fc->nb_streams;
st->id = -1;
sc = av_mallocz(sizeof(MOVStreamContext));
if (!sc) return AVERROR(ENOMEM);
@ -4087,6 +4087,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = c->fc->streams[c->fc->nb_streams-1];
sc = st->priv_data;
// Each stream (trak) should have exactly 1 tkhd. This catches bad files and
// avoids corrupting AVStreams mapped to an earlier tkhd.
if (st->id != -1)
return AVERROR_INVALIDDATA;
version = avio_r8(pb);
flags = avio_rb24(pb);
st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0;