From: Marton Balint <cus@passwd.hu>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH v2] avformat/flvdec: use avio operation instead of pb->buf_ptr use
Date: Thu, 27 Jul 2023 20:56:04 +0200 (CEST)
Message-ID: <20b0c9a1-8364-21eb-10f0-1f13736a1c2@passwd.hu> (raw)
In-Reply-To: <20230727073142.64813-1-lq@chinaffmpeg.org>
On Thu, 27 Jul 2023, Steven Liu wrote:
> check ensure seekback 4 bytes before read 4 bytes from pb,
> and seek back 4 byte from current position after read 4 bytes.
>
> fix segfaults:
> READ of size 1 at 0x6100000003b7 thread T0
> #0 0x7f928d in flv_same_video_codec ffmpeg/libavformat/flvdec.c:317:29
> #1 0x7f928d in flv_read_packet ffmpeg/libavformat/flvdec.c:1177
> #2 0x6ff32f in ff_read_packet ffmpeg/libavformat/demux.c:575:15
> #3 0x70a2fd in read_frame_internal ffmpeg/libavformat/demux.c:1263:15
> #4 0x71d158 in avformat_find_stream_info ffmpeg/libavformat/demux.c:2634:15
> #5 0x4c821b in LLVMFuzzerTestOneInput ffmpeg/tools/target_dem_fuzzer.c:206:11
>
> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
> ---
> libavformat/flvdec.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> index 3fe21622f7..38f34567dd 100644
> --- a/libavformat/flvdec.c
> +++ b/libavformat/flvdec.c
> @@ -35,6 +35,7 @@
> #include "libavutil/intreadwrite.h"
> #include "libavutil/mathematics.h"
> #include "avformat.h"
> +#include "avio_internal.h"
> #include "demux.h"
> #include "internal.h"
> #include "flv.h"
> @@ -313,8 +314,14 @@ static int flv_same_video_codec(AVFormatContext *s, AVCodecParameters *vpar, int
> return 1;
>
> if (flv->exheader) {
> - uint8_t *codec_id_str = (uint8_t *)s->pb->buf_ptr;
> - uint32_t codec_id = codec_id_str[3] | codec_id_str[2] << 8 | codec_id_str[1] << 16 | codec_id_str[0] << 24;
> + uint32_t codec_id = 0;
> + int ret = ffio_ensure_seekback(s->pb, 4);
> + if (ret < 0) {
> + av_log(s, AV_LOG_WARNING, "Could not ensure seekback, because %s", av_err2str(ret));
> + return 0;
> + }
> + codec_id = avio_rb32(s->pb);
> + avio_seek(s->pb, -4, SEEK_CUR);
Can't you rework the code to not do any IO here? It is super confusing
that a function called "flv_same_video_codec" actually reads stuff instead
of using only its parameters to check it.
IMHO the fourcc should be read where VideoTagHeader is read, not here. And
the fourcc should be passed as parameter to flv_same_video_codec. Or maybe
you can use a new variable called videocodecid, and set it to either
fourcc or legacy videocodecid, and pass only that to flv_same_video_codec.
Regards,
Marton
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2023-07-27 18:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-27 2:37 [FFmpeg-devel] [PATCH] " Steven Liu
2023-07-27 6:46 ` Hendrik Leppkes
2023-07-27 7:31 ` [FFmpeg-devel] [PATCH v2] " Steven Liu
2023-07-27 18:56 ` Marton Balint [this message]
2023-07-29 0:25 ` [FFmpeg-devel] [PATCH v3] avformat/flvdec: move read fourcc output before flv_same_video_codec Steven Liu
2023-07-29 8:41 ` Hendrik Leppkes
2023-07-29 8:42 ` Marton Balint
2023-07-29 9:54 ` Hendrik Leppkes
2023-07-29 9:56 ` Hendrik Leppkes
2023-07-29 10:06 ` Steven Liu
2023-07-29 17:49 ` [FFmpeg-devel] [PATCH] avformat/flvdec: handle exheader fourcc correctly in metadata Marton Balint
2023-08-02 1:44 ` Steven Liu
2023-08-03 20:11 ` Marton Balint
2023-07-27 8:00 ` [FFmpeg-devel] [PATCH] avformat/flvdec: use avio operation instead of pb->buf_ptr use Steven Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20b0c9a1-8364-21eb-10f0-1f13736a1c2@passwd.hu \
--to=cus@passwd.hu \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git