[FFmpeg-trac] #9622(avformat:new): Skip samples overflow and negative in fragmented MP4

FFmpeg trac at avcodec.org
Tue Feb 1 01:28:02 EET 2022 

#9622: Skip samples overflow and negative in fragmented MP4
-------------------------------------+-------------------------------------
             Reporter:  Matt         |                     Type:  defect
  Wolenetz                           |
               Status:  new          |                 Priority:  normal
            Component:  avformat     |                  Version:  git-
             Keywords:  mov,         |  master
  skip_samples, timestamp, seek      |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 Negative int64_t result of mov_get_skip_samples() can result if the
 timestamps for samples in moofs decrease (e.g. first moof->traf->tfdt
 having base decode media time of Z, second moof-...time of Y, third ... of
 X, where Z>>Y>>X).
 Scenario: Seek to time X. Observe that the next packet read has time X but
 skip_samples (front discard) value in side data that is negative.

 Two questions:
 1) Should such a stream instead produce parse error of some kind before
 emitting a packet with a negative skip_samples?
 How to reproduce: chromium fuzzer produced a case, but similar can be
 crafted manually. Reference https://crbug.com/1189939.

 2) Return type of mov_get_skip_samples is larger than where it is used in
 caller, resulting in overflow/truncation. Is this only possible for
 malformed streams, which don't currently yield error but maybe should (see
 (1))? Or should the overflow/truncation be fixed or itself trigger some
 error?

 Downstream Chromium will likely just clip negative front_skip_samples to
 be non-negative, but such case may imply other issues in ffmpeg. Hence
 this bug.
 {{{
 % ffplay -loglevel trace -ss <time X> <reproFile>

 ...messages like:
 [mov,mp4,m4a,3gp,3g2,mj2 @ ...] demuxer injecting skip -925335552 /
 discard 0
 ...
 [opus @ ...] skip -925335552 / discard 0 samples due to side data

 ffplay version N-105440-gf23d3a5f8f Copyright (c) 2003-2022 the FFmpeg
 developers

 }}} this bug tracker.
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/9622>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list