[FFmpeg-devel] [mov] Bail when invalid sample data is present.

Michael Niedermayer michael at niedermayer.cc
Fri Aug 25 15:43:26 EEST 2017


On Mon, Jul 31, 2017 at 04:42:20PM -0700, Dale Curtis wrote:
> I'm not convinced my original patch catches all cases. So here's an updated
> one which explicitly verifies the contract.
> 
> - dale
> 
> On Mon, Jul 31, 2017 at 2:40 PM, Dale Curtis <dalecurtis at chromium.org>
> wrote:
> 
> > [mov] Bail when invalid sample data is present.
> >
> > ctts data in ffmpeg relies on the index entries array to be 1:1
> > with samples... yet sc->sample_count can be read directly from
> > the 'stsz' box and index entries are only generated if a chunk
> > count has been read from 'stco' box.
> >
> > Ensure that if sc->sample_count > 0, sc->chunk_count is too.
> >
> > This should be applied on top of the ctts fixes in my previous patch.
> >
> >

>  mov.c |    8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> b9e9d387abfa321d17f117833f0b4a6f04ab6feb  sample_count_fix_v2.patch
> From 51571dd294350f2ef367fd9391ed4c1e94387947 Mon Sep 17 00:00:00 2001
> From: Dale Curtis <dalecurtis at chromium.org>
> Date: Mon, 31 Jul 2017 13:44:22 -0700
> Subject: [PATCH] [mov] Bail when invalid sample data is present.
> 
> ctts data in ffmpeg relies on the index entries array to be 1:1
> with samples... yet sc->sample_count can be read directly from
> the 'stsz' box and index entries are only generated if a chunk
> count has been read from 'stco' box.
> 
> Ensure that if sc->sample_count > 0, sc->chunk_count is too as
> a basic sanity check. Additionally we need to check that after
> the index is built we have the right number of entries, so we
> also check in mov_read_trun() that sc->sample_count ==
> st->nb_index_entries.
> ---
>  libavformat/mov.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

This patch breaks:
http://samples.ffmpeg.org/mov/mp4/discont-frag.mp4

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170825/392ac60b/attachment.sig>


More information about the ffmpeg-devel mailing list