[FFmpeg-cvslog] libavformat/mov: Fix NULL-dereference read for some encrypted content.

Jacob Trimble git at videolan.org
Mon Jan 21 13:20:19 EET 2019 

ffmpeg | branch: release/4.1 | Jacob Trimble <modmaker-at-google.com at ffmpeg.org> | Wed Dec 19 16:00:22 2018 -0800| [73c90818b116e3783e6479172a565cfb9fa36036] | committer: Michael Niedermayer

libavformat/mov: Fix NULL-dereference read for some encrypted content.

When reading frames, we need to use the fragment for the correct
stream.  Sometimes the "current" fragment is not the same as the one
the frame is for.

Found by Chromium's ClusterFuzz:
https://crbug.com/906392 and https://crbug.com/915524

Signed-off-by: Jacob Trimble <modmaker at google.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 555f332e7adbd492ca74fa7329c492819b52e2ed)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=73c90818b116e3783e6479172a565cfb9fa36036
---

 libavformat/mov.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6f92742e23..ff7fdd48e2 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6556,14 +6556,14 @@ static int cenc_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryptionInfo *s
     return 0;
 }
 
-static int cenc_filter(MOVContext *mov, MOVStreamContext *sc, AVPacket *pkt, int current_index)
+static int cenc_filter(MOVContext *mov, AVStream* st, MOVStreamContext *sc, AVPacket *pkt, int current_index)
 {
     MOVFragmentStreamInfo *frag_stream_info;
     MOVEncryptionIndex *encryption_index;
     AVEncryptionInfo *encrypted_sample;
     int encrypted_index, ret;
 
-    frag_stream_info = get_current_frag_stream_info(&mov->frag_index);
+    frag_stream_info = get_frag_stream_info(&mov->frag_index, mov->frag_index.current, st->id);
     encrypted_index = current_index;
     encryption_index = NULL;
     if (frag_stream_info) {
@@ -7793,7 +7793,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
     if (mov->aax_mode)
         aax_filter(pkt->data, pkt->size, mov);
 
-    ret = cenc_filter(mov, sc, pkt, current_index);
+    ret = cenc_filter(mov, st, sc, pkt, current_index);
     if (ret < 0)
         return ret;

More information about the ffmpeg-cvslog mailing list