[FFmpeg-cvslog] lavf/mov: ensure only one tkhd per trak
chcunningham
git at videolan.org
Thu Mar 21 20:13:19 EET 2019
ffmpeg | branch: release/4.0 | chcunningham <chcunningham at chromium.org> | Thu Dec 13 13:58:40 2018 -0800| [5d9daae62b9c1a669a504433b78d5a3e75409089] | committer: Michael Niedermayer
lavf/mov: ensure only one tkhd per trak
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
Reviewed-by: Baptiste Coudurier <baptiste.coudurier at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d9daae62b9c1a669a504433b78d5a3e75409089
---
libavformat/mov.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index bd9b302e74..1864810846 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1325,6 +1325,10 @@ static int update_frag_index(MOVContext *c, int64_t offset)
return -1;
for (i = 0; i < c->fc->nb_streams; i++) {
+ // Avoid building frag index if streams lack track id.
+ if (c->fc->streams[i]->id < 0)
+ return AVERROR_INVALIDDATA;
+
frag_stream_info[i].id = c->fc->streams[i]->id;
frag_stream_info[i].sidx_pts = AV_NOPTS_VALUE;
frag_stream_info[i].tfdt_dts = AV_NOPTS_VALUE;
@@ -4136,7 +4140,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = avformat_new_stream(c->fc, NULL);
if (!st) return AVERROR(ENOMEM);
- st->id = c->fc->nb_streams;
+ st->id = -1;
sc = av_mallocz(sizeof(MOVStreamContext));
if (!sc) return AVERROR(ENOMEM);
@@ -4420,6 +4424,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
st = c->fc->streams[c->fc->nb_streams-1];
sc = st->priv_data;
+ // Each stream (trak) should have exactly 1 tkhd. This catches bad files and
+ // avoids corrupting AVStreams mapped to an earlier tkhd.
+ if (st->id != -1)
+ return AVERROR_INVALIDDATA;
+
version = avio_r8(pb);
flags = avio_rb24(pb);
st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0;
@@ -4686,6 +4695,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
break;
}
}
+ av_assert0(index_entry_pos <= st->nb_index_entries);
avio_r8(pb); /* version */
flags = avio_rb24(pb);
More information about the ffmpeg-cvslog
mailing list