[FFmpeg-devel] lavf probing

Ronald S. Bultje rbultje
Sun Jun 10 01:22:17 CEST 2007


I found a problem with *_probe() functions not doing bounds checks on
AVProbeData input. I can submit a patch, but would rather prevent the
obvious. Is a buffer in p->buf supposed to be expanded by
FF_INPUT_BUFFER_PADDING_SIZE and if so, is a *_probe() supposed to be called
only with p->buf_size > 0 && p->buf != NULL?

(This can happen if rtsp stream setup fails even though rtsp_read_header()
succeeded, which means input reading in av_find_stream_info() fails, but
codecs are unknown so it still tries to set the codec info without having
any actual data. Result is it calling set_codec_from_probe_data() with
p->buf_size = 0 && p->buf == NULL, which crashes in any probe function since
none do bounds checks or buf!=NULL.)


More information about the ffmpeg-devel mailing list