* [FFmpeg-devel] [PATCH 0/4] Crc crash
@ 2025-07-11 21:28 ffmpegagent
2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 1/4] avformat/aviobuf: Keep checksum_ptr consistent in avio_seek() Andreas Rheinhardt
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: ffmpegagent @ 2025-07-11 21:28 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: mkver
The main aim of this patchset is to fix ticket 11233.
Andreas Rheinhardt (4):
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
avformat/oggdec: Don't skip over data whose checksum is used
avformat/tta: Avoid seek when reading header
avformat/takdec: Don't truncate return value
libavformat/aviobuf.c | 2 +-
libavformat/oggdec.c | 2 +-
libavformat/takdec.c | 9 +++++----
libavformat/tta.c | 41 +++++++++++++++++++----------------------
4 files changed, 26 insertions(+), 28 deletions(-)
base-commit: 3ce348063c9433e33a5cb1ac79ac1efa37c21621
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-108%2Fmkver%2Fcrc_crash-v1
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-108/mkver/crc_crash-v1
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/108
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH 1/4] avformat/aviobuf: Keep checksum_ptr consistent in avio_seek() 2025-07-11 21:28 [FFmpeg-devel] [PATCH 0/4] Crc crash ffmpegagent @ 2025-07-11 21:28 ` Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 2/4] avformat/oggdec: Don't skip over data whose checksum is used Andreas Rheinhardt ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Andreas Rheinhardt @ 2025-07-11 21:28 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Andreas Rheinhardt From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> Otherwise it might be > buf_ptr in which case ffio_get_checksum() could segfault (s->buf_ptr - s->checksum_ptr would be negative which would be converted to something very big when converted to unsigned for the update_checksum callback). Fixes ticket #11233. Reported-by: Du4t Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 6a74c1ce68..9041280e77 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -308,7 +308,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) ctx->seek_count++; if (!s->write_flag) s->buf_end = s->buffer; - s->buf_ptr = s->buf_ptr_max = s->buffer; + s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer; s->pos = offset; } s->eof_reached = 0; -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avformat/oggdec: Don't skip over data whose checksum is used 2025-07-11 21:28 [FFmpeg-devel] [PATCH 0/4] Crc crash ffmpegagent 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 1/4] avformat/aviobuf: Keep checksum_ptr consistent in avio_seek() Andreas Rheinhardt @ 2025-07-11 21:28 ` Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 3/4] avformat/tta: Avoid seek when reading header Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 4/4] avformat/takdec: Don't truncate return value Andreas Rheinhardt 3 siblings, 0 replies; 5+ messages in thread From: Andreas Rheinhardt @ 2025-07-11 21:28 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Andreas Rheinhardt From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> The behavior of the ffio_*_checksum feature is not well defined when using avio_skip(). The code in oggdec.c relied on the skipped data (four bytes) to be checksummed, which is mostly true because short_seek_threshold is 32768 by default, so that avio_seek() will normally read data instead of calling the underlying seek function. Yet this has two problems: a) It relies on implementation details of avio_seek(). b) There is an exception, namely if the AVIO_FLAG_DIRECT is set. In this case the underlying seek function (if set) is always called and the data is skipped, leading to CRC errors. So don't skip the data. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> --- libavformat/oggdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index da3ef815db..9dc2c62035 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -370,7 +370,7 @@ static int ogg_read_page(AVFormatContext *s, int *sid, int probing) flags = avio_r8(bc); gp = avio_rl64(bc); serial = avio_rl32(bc); - avio_skip(bc, 4); /* seq */ + avio_rl32(bc); /* seq */ crc_tmp = ffio_get_checksum(bc); crc = avio_rb32(bc); -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avformat/tta: Avoid seek when reading header 2025-07-11 21:28 [FFmpeg-devel] [PATCH 0/4] Crc crash ffmpegagent 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 1/4] avformat/aviobuf: Keep checksum_ptr consistent in avio_seek() Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 2/4] avformat/oggdec: Don't skip over data whose checksum is used Andreas Rheinhardt @ 2025-07-11 21:28 ` Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 4/4] avformat/takdec: Don't truncate return value Andreas Rheinhardt 3 siblings, 0 replies; 5+ messages in thread From: Andreas Rheinhardt @ 2025-07-11 21:28 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Andreas Rheinhardt From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> --- libavformat/tta.c | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index fdc18216c8..6e3c3a0007 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -51,36 +51,34 @@ static int tta_read_header(AVFormatContext *s) { TTAContext *c = s->priv_data; AVStream *st; - int i, channels, bps, samplerate; - int64_t framepos, start_offset; - uint32_t nb_samples, crc; + int64_t framepos; + uint8_t header[22]; ff_id3v1_read(s); - start_offset = avio_tell(s->pb); - if (start_offset < 0) - return start_offset; - ffio_init_checksum(s->pb, ff_crcEDB88320_update, UINT32_MAX); - if (avio_rl32(s->pb) != AV_RL32("TTA1")) + int ret = ffio_read_size(s->pb, header, sizeof(header)); + if (ret < 0) + return ret; + + if (AV_RL32(header) != MKTAG('T', 'T', 'A', '1')) return AVERROR_INVALIDDATA; - avio_skip(s->pb, 2); // FIXME: flags - channels = avio_rl16(s->pb); - bps = avio_rl16(s->pb); - samplerate = avio_rl32(s->pb); + int channels = AV_RL16(header + 6); + int bps = AV_RL16(header + 8); + int samplerate = AV_RL32(header + 10); if(samplerate <= 0 || samplerate > 1000000){ av_log(s, AV_LOG_ERROR, "nonsense samplerate\n"); return AVERROR_INVALIDDATA; } - nb_samples = avio_rl32(s->pb); + uint32_t nb_samples = AV_RL32(header + 14); if (!nb_samples) { av_log(s, AV_LOG_ERROR, "invalid number of samples\n"); return AVERROR_INVALIDDATA; } - crc = ffio_get_checksum(s->pb) ^ UINT32_MAX; - if (crc != avio_rl32(s->pb) && s->error_recognition & AV_EF_CRCCHECK) { + uint32_t crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE_LE), UINT32_MAX, header, 18) ^ UINT32_MAX; + if (crc != AV_RL32(header + 18) && s->error_recognition & AV_EF_CRCCHECK) { av_log(s, AV_LOG_ERROR, "Header CRC error\n"); return AVERROR_INVALIDDATA; } @@ -105,19 +103,18 @@ static int tta_read_header(AVFormatContext *s) st->start_time = 0; st->duration = nb_samples; + ret = ff_alloc_extradata(st->codecpar, sizeof(header)); + if (ret < 0) + return ret; + memcpy(st->codecpar->extradata, header, sizeof(header)); + framepos = avio_tell(s->pb); if (framepos < 0) return framepos; framepos += 4 * c->totalframes + 4; - if (ff_alloc_extradata(st->codecpar, avio_tell(s->pb) - start_offset)) - return AVERROR(ENOMEM); - - avio_seek(s->pb, start_offset, SEEK_SET); - avio_read(s->pb, st->codecpar->extradata, st->codecpar->extradata_size); - ffio_init_checksum(s->pb, ff_crcEDB88320_update, UINT32_MAX); - for (i = 0; i < c->totalframes; i++) { + for (int i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; if (avio_feof(s->pb)) -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avformat/takdec: Don't truncate return value 2025-07-11 21:28 [FFmpeg-devel] [PATCH 0/4] Crc crash ffmpegagent ` (2 preceding siblings ...) 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 3/4] avformat/tta: Avoid seek when reading header Andreas Rheinhardt @ 2025-07-11 21:28 ` Andreas Rheinhardt 3 siblings, 0 replies; 5+ messages in thread From: Andreas Rheinhardt @ 2025-07-11 21:28 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Andreas Rheinhardt From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> This is unlikely to matter for real files. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> --- libavformat/takdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/takdec.c b/libavformat/takdec.c index b8f76aaa67..c1271601b5 100644 --- a/libavformat/takdec.c +++ b/libavformat/takdec.c @@ -141,10 +141,11 @@ static int tak_read_header(AVFormatContext *s) tc->data_end += curpos; return 0; } - default: - ret = avio_skip(pb, size); - if (ret < 0) - return ret; + default: { + int64_t ret64 = avio_skip(pb, size); + if (ret64 < 0) + return ret64; + } } if (type == TAK_METADATA_STREAMINFO) { -- ffmpeg-codebot _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-07-11 21:29 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-07-11 21:28 [FFmpeg-devel] [PATCH 0/4] Crc crash ffmpegagent 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 1/4] avformat/aviobuf: Keep checksum_ptr consistent in avio_seek() Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 2/4] avformat/oggdec: Don't skip over data whose checksum is used Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 3/4] avformat/tta: Avoid seek when reading header Andreas Rheinhardt 2025-07-11 21:28 ` [FFmpeg-devel] [PATCH 4/4] avformat/takdec: Don't truncate return value Andreas Rheinhardt
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git