From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 1D03C4C830 for ; Fri, 14 Feb 2025 02:49:55 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8DF9968C037; Fri, 14 Feb 2025 04:49:51 +0200 (EET) Received: from mail-ua1-f52.google.com (mail-ua1-f52.google.com [209.85.222.52]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A383168BE7A for ; Fri, 14 Feb 2025 04:49:45 +0200 (EET) Received: by mail-ua1-f52.google.com with SMTP id a1e0cc1a2514c-866faa61728so905678241.2 for ; Thu, 13 Feb 2025 18:49:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1739501383; x=1740106183; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=lqgf0oCjQlGlEhnkTX7nQCGx7p9QMGAqK2CoskZ+Khw=; b=P8ssW39TTpYB629VAEUjdgVIPCvYkhl9Sb5A/yhZJmafYyW30XtuzVYbcFKBSaO5Jb pbShprq6+PYMxVRfxzY2mduK5GTgdZQ//yHhLGmZ1IMaMDwOc4/uB+Ws4P7V2dZhzm/R 9s1JwOLCtO99QVWXhc3vW/EJ+wmjslZtl00rgr3Bsm7EfKg/Tr8x3uEH4n53Qnw1MKaC HmrXQB9BPzIEXSBBUvIVPe3zHWespkLOKRwLQQRo65VTm/KhvtrrKpTYdUy1/qaGH5Bq yaWL6eC+j6RKAGVh1ly8zmDPlAuqjOd9kq7UeedBQQzG8mow2EY7+Y+giRilD1eP0f4Z eVrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739501383; x=1740106183; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lqgf0oCjQlGlEhnkTX7nQCGx7p9QMGAqK2CoskZ+Khw=; b=XQl1Psk+jxfxnuu9jv2/w8C0LPzSMbfU/aGeAWWZpY+qJ5XbucNukDaLzF6H+OIh+N wxwnCAE0IF4/HqYtvUpEq8e8V5JMDT+Lgk++VKmgpMJpDrFNUOfd3yoLF5eEXUK/aIi2 5yhQYPjVFp16nBLY6+StnfWFPZT26Ok0sdoc47Bn9ii41xKEcgsRASs+tTIpSm1Q4g6T 8m0FnqfU0e9kh0wfZEjYJEuXe8D4B6fWflI/sgoi9bP3jwj0ZoD9cBICEbQ0/l2mgRhc oyfxqlqHxWRpZBpiJ48LJOmVQQPiX5WRdzXg/ipOCLePmEvTdVKyysgiqWAs+RE3Cb57 tXsg== X-Gm-Message-State: AOJu0YzHoDrXOXtgvb+RutwfvuaSJra41t4s7840I4R4gFgU6Ii0Ux1k pxJ/OA1KhLUhSW9w5JUI96KiNrqK0tHPX7vahNnJE+9U9DxtY9cdnrVMBYO0 X-Gm-Gg: ASbGncsm7HsWnoipdA8cLBB+R7YVNZjqCcVZ9Q6EVQmC0VK9iFKIzHfbRhhIeB0jreh yJC8m+0rZ4+Xm0LSglD3m7lyC1vSfl18LGmpf8CUcE2ORREC0ixNZsv1YCGFgFpcv8WQIidgxZL GdMKCngV3AAHofTDTtO8t9XjYdmnmY9nhb7UJtz6v8jSo5FF4mkpru9X/Jc8QC1QXm7xyV3Wg9+ yy6iuT7p33uYs41VUzMn5QvmHexIjPz3pVjDJrVLfpQFbundLgInJ+JUWzB/x0B7fveNxgW9Y+q sZndELDkuOTR5XIm01yNKXy+6xFnQatb X-Google-Smtp-Source: AGHT+IHepYZ9vXwit81EF7IIJubuIbq6EWk7JyZKdq/EeqIlMwMLFUoa5dyU1qtUWiR1iYfcHVHALA== X-Received: by 2002:a05:6102:3587:b0:4bb:d64d:8331 with SMTP id ada2fe7eead31-4bbf2107ce1mr10526608137.11.1739501383090; Thu, 13 Feb 2025 18:49:43 -0800 (PST) Received: from localhost.localdomain ([2800:2121:b040:c:1596:bee8:ed07:ae97]) by smtp.gmail.com with ESMTPSA id ada2fe7eead31-4bc078088e3sm375426137.18.2025.02.13.18.49.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Feb 2025 18:49:41 -0800 (PST) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Thu, 13 Feb 2025 23:49:20 -0300 Message-ID: <20250214024920.911-1-jamrial@gmail.com> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/mov: further ensure mov_build_index isn't run twice X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: If sc->tts_count is not 0, then the sample index has already been built. Fixes: Null-dereference READ Fixes: 396192874/clusterfuzz-testcase-minimized-audio_decoder_fuzzer-4589309789143040 Signed-off-by: James Almer --- Supersedes "avformat/mov: ensure no trun atoms are parsed as children of trak" libavformat/mov.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 85aef33b19..1c4b13864e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4688,7 +4688,7 @@ static void mov_build_index(MOVContext *mov, AVStream *st) /* only use old uncompressed audio chunk demuxing when stts specifies it */ if (!(st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && - sc->stts_count == 1 && sc->stts_data[0].duration == 1)) { + sc->stts_count == 1 && sc->stts_data && sc->stts_data[0].duration == 1)) { unsigned int current_sample = 0; unsigned int stts_sample = 0; unsigned int sample_size; @@ -4700,7 +4700,7 @@ static void mov_build_index(MOVContext *mov, AVStream *st) current_dts -= sc->dts_shift; - if (!sc->sample_count || sti->nb_index_entries) + if (!sc->sample_count || sti->nb_index_entries || sc->tts_count) return; if (sc->sample_count >= UINT_MAX / sizeof(*sti->index_entries) - sti->nb_index_entries) return; @@ -4811,11 +4811,11 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; - ret = mov_merge_tts_data(mov, st, MOV_MERGE_CTTS); - if (ret < 0) + if (!sc->chunk_count || sc->tts_count) return; - if (!sc->chunk_count) + ret = mov_merge_tts_data(mov, st, MOV_MERGE_CTTS); + if (ret < 0) return; // compute total chunk count -- 2.48.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".