From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 396C94CB10
	for <ffmpegdev@gitmailbox.com>; Mon, 11 Aug 2025 01:13:19 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id BA4BD68D271;
	Mon, 11 Aug 2025 04:13:15 +0300 (EEST)
Received: from 65b120843561 (code.ffmpeg.org [188.245.149.3])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 1394E68C41B
 for <ffmpeg-devel@ffmpeg.org>; Mon, 11 Aug 2025 04:13:14 +0300 (EEST)
MIME-Version: 1.0
From: devjeonghwan <code@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] =?utf-8?q?=5BPATCH=5D_=5BPATCH=5D_avformat/apngde?=
 =?utf-8?q?c=3A_allow_other_chunks_between_fcTL_and_fdAT/IDAT_=28PR_=23202?=
 =?utf-8?b?MDgp?=
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Message-Id: <20250811011315.BA4BD68D271@ffbox0-bg.ffmpeg.org>
Date: Mon, 11 Aug 2025 04:13:15 +0300 (EEST)
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250811011315.BA4BD68D271@ffbox0-bg.ffmpeg.org/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #20208 opened by devjeonghwan
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20208
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20208.patch

The APNG demuxer incorrectly assumed that fcTL chunks must be immediately followed by fdAT or IDAT chunks.
Per PNG specification section 14.3.2, ancillary chunks may appear in any order relative to other ancillary chunks.

This change allows intermediate chunks (like tEXt) between fcTL and frame data chunks, fixing playback of APNG files with metadata.

Fixes [#11012](https://trac.ffmpeg.org/ticket/11012).

Follow-up to #20140


>From fa82fd3086262001165cb3be663d7fb241997e00 Mon Sep 17 00:00:00 2001
From: devjeonghwan <dev.parkjeonghwan@gmail.com>
Date: Thu, 7 Aug 2025 01:37:37 +0900
Subject: [PATCH 1/2] avformat/apngdec: allow other chunks between fcTL and
 fdAT/IDAT

---
 libavformat/apngdec.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index d0005046c1..6b9d2c3c88 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -344,14 +344,27 @@ static int apng_read_packet(AVFormatContext *s, AVPacket *pkt)
         if ((ret = decode_fctl_chunk(s, ctx, pkt)) < 0)
             return ret;
 
-        /* fcTL must precede fdAT or IDAT */
+        /* fcTL may be followed by other chunks before fdAT or IDAT */
         len = avio_rb32(pb);
         tag = avio_rl32(pb);
-        if (len > 0x7fffffff ||
-            tag != MKTAG('f', 'd', 'A', 'T') &&
-            tag != MKTAG('I', 'D', 'A', 'T'))
+        if (len > 0x7fffffff)
             return AVERROR_INVALIDDATA;
 
+        /* check for empty frame */
+        if (tag == MKTAG('f', 'c', 'T', 'L') ||
+            tag == MKTAG('I', 'E', 'N', 'D')) {
+            size = 38; /* size of fcTL chunk and its header */
+            if ((ret = avio_seek(pb, -46, SEEK_CUR)) < 0 ||
+                (ret = av_append_packet(pb, pkt, size)) < 0)
+                return ret;
+
+            if (ctx->is_key_frame)
+                pkt->flags |= AV_PKT_FLAG_KEY;
+            pkt->pts = pkt->dts = AV_NOPTS_VALUE;
+            pkt->duration = ctx->pkt_duration;
+            return ret;
+        }
+
         size = 38 /* fcTL */ + 8 /* len, tag */ + len + 4 /* crc */;
         if (size > INT_MAX)
             return AVERROR(EINVAL);
-- 
2.49.1


>From d55907dd3d253c4aff6b4a2ab2c186e41c05348f Mon Sep 17 00:00:00 2001
From: "dev.parkjeonghwan@gmail.com" <dev.parkjeonghwan@gmail.com>
Date: Mon, 11 Aug 2025 09:58:30 +0900
Subject: [PATCH 2/2] avformat/apngdec: reject fcTL-only frame as invalid

---
 libavformat/apngdec.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index 6b9d2c3c88..c51cb3c889 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -352,18 +352,8 @@ static int apng_read_packet(AVFormatContext *s, AVPacket *pkt)
 
         /* check for empty frame */
         if (tag == MKTAG('f', 'c', 'T', 'L') ||
-            tag == MKTAG('I', 'E', 'N', 'D')) {
-            size = 38; /* size of fcTL chunk and its header */
-            if ((ret = avio_seek(pb, -46, SEEK_CUR)) < 0 ||
-                (ret = av_append_packet(pb, pkt, size)) < 0)
-                return ret;
-
-            if (ctx->is_key_frame)
-                pkt->flags |= AV_PKT_FLAG_KEY;
-            pkt->pts = pkt->dts = AV_NOPTS_VALUE;
-            pkt->duration = ctx->pkt_duration;
-            return ret;
-        }
+            tag == MKTAG('I', 'E', 'N', 'D'))
+            return AVERROR_INVALIDDATA;
 
         size = 38 /* fcTL */ + 8 /* len, tag */ + len + 4 /* crc */;
         if (size > INT_MAX)
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".