[FFmpeg-trac] #8881(avformat:open): First segment corrupted when using segment & ogg muxers - memory corruption?

FFmpeg trac at avcodec.org
Fri Sep 4 12:11:58 EEST 2020 

#8881: First segment corrupted when using segment & ogg muxers - memory
corruption?
-------------------------------------+-------------------------------------
             Reporter:  teo-         |                    Owner:
  lumifaza                           |
                 Type:  defect       |                   Status:  open
             Priority:  important    |                Component:  avformat
              Version:  git-master   |               Resolution:
             Keywords:  ogg segment  |               Blocked By:
  regression                         |
             Blocking:               |  Reproduced by developer:  1
Analyzed by developer:  1            |
-------------------------------------+-------------------------------------
Changes (by mkver):

 * analyzed:  0 => 1
 * keywords:  ogg regression => ogg segment regression


Comment:

 In seg_write_header() the segment muxer changes the AVCodecParameters of
 the stream's used for its internal ogg-muxer after having initialized the
 ogg muxer; but the ogg muxer has analysed the extradata during its init
 function and (in case of vorbis and theora) set a pointer pointing into
 the extradata; this pointer is now dangling. According to the
 documentation, the AVCodecParameters may be set by the caller (in this
 case the segment muxer) before calling avformat_write_header(), so that
 the ogg muxer is violating API as documented (and the way to remedy this
 is to remove the init function from the ogg muxer and do what is done in
 ogg_init() as part of ogg_write_header() (ogg_init() can of course still
 exist as a separate function, but not as init function of the various
 muxers; instead it should be called from ogg_write_header())).
 But on the other hand, the documented behaviour is actually nonsense: If
 one is allowed to change the AVCodecParameters after
 avformat_init_output(), one were allowed to change e.g. the codec ID or
 even the codec type. It meant that basically all checks currently
 performed in the init functions were premature (ergo invalid), because the
 caller would be allowed to change the parameters set lateron. For the
 record, FATE passes when one removes the (btw unchecked) call to
 avcodec_parameters_copy() in seg_write_header(). This should not break
 anything as long as the caller doesn't modify the AVCodecParameters
 between avformat_init_output() and avformat_write_header().
 This call has been added in 8e6478b723affe4d44f94d34b98e0c47f6a0b411; at
 that time, the header was not always written immediately with
 avformat_write_header(). Depending upon flags (namely the autobsf flag) it
 was written when the first packet was written, giving the segment muxer
 time to intercept the packets and extract extradata from them to be used
 when writing the child muxer's header. Today, the whole code for delaying
 writing the header is gone, so this serves no useful purpose any more.

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8881#comment:3>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list