From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id DB1834BA49 for ; Tue, 22 Jul 2025 16:32:36 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id EBCF168D132; Tue, 22 Jul 2025 19:32:31 +0300 (EEST) Received: from out162-62-57-64.mail.qq.com (out162-62-57-64.mail.qq.com [162.62.57.64]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id CF77368CF3C for ; Tue, 22 Jul 2025 19:32:24 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1753201930; bh=DUCA2UZ7/MOTjTJF7mwNZ/bYHzw4cPcAy2ax8dXpSeE=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=P6L0Adixxj7IzU1kd+BdyTvjEXaUQywqwwK5IuCmlea/9yh38ALOvbqk1K2MiLJPC P3mKav7XVlQ05PY9J/WG+NlnXvZouhMBrnWg+hhoViOBQdCjkrbYTeQKTHjLoxXnXe I2eIwzi81MaP3DPRQU9fgUUTDiDWz4HYXNI/K2RA= Received: from ZHILIZHAO-MB1.tencent.com ([240e:3b7:3270:9130:5c8e:9e35:a305:fa8c]) by newxmesmtplogicsvrszb21-0.qq.com (NewEsmtp) with SMTP id 809138E8; Wed, 23 Jul 2025 00:32:09 +0800 X-QQ-mid: xmsmtpt1753201929tg118xkcd Message-ID: X-QQ-XMAILINFO: MeukCuWaRbQleaFs2TLFGOHMDdILyQb7/UBez3dPYpxxmHCeY9DUvn2W18/QXu BQ06YxWsPmIUEWijCM84G6WBf73nkcrYynEMXSEqGJo6hv7Ytfu1EHWDZk9BySCoraGEDy2G78S2 XgilWcMuz2Gc5JBpwf+w/fManrmAp02UHx5HwPrDHKGXUkhaJgvRbd/IdzbBLaXg06sfKZMHozw3 gHDEroKhKtaKK8PdtMFOuhGO0F/DBRI1eRBEuxiTCgWy+ikjyLJjYeXLLxxd4BO5dy6D0Ewumccn EAev2z+IojmihkMFliW7y29fRianZVjxau9VlwpBZZfin4QiuFLiXddOSKD0wy5Q6zBuiomFT34X 1JwDh4P4JILwBnB6o6fTTWz2a72Wt7Id0/SYJqP7I+kHBcIQSKWeyK5Jy08dLUEJGVadbDWLsndT 2l6hJGxK7zunaBnAISaO3ZmDm65dWkEX/zzdbo7oRBI7S/2qHXuouJ2o6ABDEaC40XhP5ftAYncy bUyGqSi8lBGjGpCUzzfQX8T16jY0gCzlqKLI5fp2ppT6UpzDajMFNKxNlhVj5OTv9jKU6LNwJD8C /aE8JbzNK2uORF6tBV5cVpk06G6mhCeFbk9RpnXCRufze9dpNVuVbUde44e6Rw9G0XBbZ9DgxntV ckX3sMEGnjfIxHuIGwK2HP+KbvwpgBFKIPJ6aDwDD5J+SQ0sfXjIEKr8LxB8RpNSjbWlPWk5vtER WxHKoRjmsuzPISKJXwTLTCh+F82x3pIc0Zmk2UhIr01m5bK/FVsFgMEJoGfTCUzRPCIz/BCIOwrn WWMvn/nTFFuVK1/TXq3gRrGDZH/nyiY/axwMZ5pbC0Inntf6iJ6X5x5QQYSW377JTRh0RCIlqOqp OKoBD/NTIufFCF4fmzuHrcR/ioxilpNwYeB0dFQp63pYhDTsHgBUrwpuqCZGff6j5Kv/caFXpK7D E3XwVsPFWGJ4DDl0v7Wet5WPs4ip7HDReG+WTvh7/qANT58D86ujx4GLhBKiwaaRMcdthGed00Dz JtTK86YA== X-QQ-XMRINFO: MPJ6Tf5t3I/ycC2BItcBVIA= From: Zhao Zhili To: ffmpeg-devel@ffmpeg.org Date: Wed, 23 Jul 2025 00:32:00 +0800 X-OQ-MSGID: <20250722163200.60204-1-quinkblack@foxmail.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2] avformat/mxfenc: Ensure frame offset in valid range X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Zhao Zhili Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: From: Zhao Zhili Fix assert failure. Fix #11666. Signed-off-by: Zhao Zhili --- libavformat/mxfenc.c | 48 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index d12ccfd739..9e00a700ab 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1983,7 +1983,17 @@ static unsigned klv_fill_size(uint64_t size) return pad & (KAG_SIZE-1); } -static void mxf_write_index_table_segment(AVFormatContext *s) +static inline int mxf_check_frame_offset(AVFormatContext *s, int offset) +{ + if (offset >= INT8_MIN && offset <= INT8_MAX) + return 0; + + av_log(s, AV_LOG_ERROR, "frame offset %d out of range [%d,%d], please reduce " + "encoder GOP size\n", offset, INT8_MIN, INT8_MAX); + return AVERROR_INVALIDDATA; +} + +static int mxf_write_index_table_segment(AVFormatContext *s) { MXFContext *mxf = s->priv_data; AVIOContext *pb = s->pb; @@ -1992,11 +2002,12 @@ static void mxf_write_index_table_segment(AVFormatContext *s) int prev_non_b_picture = 0; int audio_frame_size = 0; int64_t pos; + int err; av_log(s, AV_LOG_DEBUG, "edit units count %d\n", mxf->edit_units_count); if (!mxf->edit_units_count && !mxf->edit_unit_byte_count) - return; + return 0; avio_write(pb, index_table_segment_key, 16); @@ -2095,15 +2106,26 @@ static void mxf_write_index_table_segment(AVFormatContext *s) if (j == mxf->edit_units_count) av_log(s, AV_LOG_WARNING, "missing frames\n"); temporal_offset = j - key_index - pic_num_in_gop; + err = mxf_check_frame_offset(s, temporal_offset); + if (err < 0) + return err; } } avio_w8(pb, temporal_offset); if ((mxf->index_entries[i].flags & 0x30) == 0x30) { // back and forward prediction + int offset = mxf->last_key_index - i; + err = mxf_check_frame_offset(s, offset); + if (err < 0) + return err; sc->b_picture_count = FFMAX(sc->b_picture_count, i - prev_non_b_picture); - avio_w8(pb, mxf->last_key_index - i); + avio_w8(pb, offset); } else { - avio_w8(pb, key_index - i); // key frame offset + int offset = key_index - i; + err = mxf_check_frame_offset(s, offset); + if (err < 0) + return err; + avio_w8(pb, offset); // key frame offset if ((mxf->index_entries[i].flags & 0x20) == 0x20) // only forward mxf->last_key_index = key_index; prev_non_b_picture = i; @@ -2127,6 +2149,8 @@ static void mxf_write_index_table_segment(AVFormatContext *s) } mxf_update_klv_size(pb, pos); + + return 0; } static void mxf_write_klv_fill(AVFormatContext *s) @@ -3354,7 +3378,9 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) if ((err = mxf_write_partition(s, 1, 2, header_open_partition_key, 1)) < 0) return err; mxf_write_klv_fill(s); - mxf_write_index_table_segment(s); + err = mxf_write_index_table_segment(s); + if (err < 0) + return err; } else { if ((err = mxf_write_partition(s, 0, 0, header_open_partition_key, 1)) < 0) return err; @@ -3370,7 +3396,9 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) if ((err = mxf_write_partition(s, 1, 2, body_partition_key, 0)) < 0) return err; mxf_write_klv_fill(s); - mxf_write_index_table_segment(s); + err = mxf_write_index_table_segment(s); + if (err < 0) + return err; } mxf_write_klv_fill(s); @@ -3455,7 +3483,9 @@ static int mxf_write_footer(AVFormatContext *s) if ((err = mxf_write_partition(s, 0, 2, footer_partition_key, 0)) < 0) return err; mxf_write_klv_fill(s); - mxf_write_index_table_segment(s); + err = mxf_write_index_table_segment(s); + if (err < 0) + return err; } mxf_write_klv_fill(s); @@ -3474,7 +3504,9 @@ static int mxf_write_footer(AVFormatContext *s) if ((err = mxf_write_partition(s, 1, 2, header_closed_partition_key, 1)) < 0) return err; mxf_write_klv_fill(s); - mxf_write_index_table_segment(s); + err = mxf_write_index_table_segment(s); + if (err < 0) + return err; } else { if ((err = mxf_write_partition(s, 0, 0, header_closed_partition_key, 1)) < 0) return err; -- 2.46.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".