[FFmpeg-cvslog] avformat/mpegts: pass MpegTSContext ptr explicitly (fixes #3721)

Alexander V. Lukyanov git at videolan.org
Tue Jul 8 22:18:24 CEST 2014 

ffmpeg | branch: master | Alexander V. Lukyanov <lavv17f at gmail.com> | Tue Jul  8 11:54:15 2014 +0400| [8635954335061ea4c03d3f492b7bc803ea740d9c] | committer: Michael Niedermayer

avformat/mpegts: pass MpegTSContext ptr explicitly (fixes #3721)

AVFormatContext->priv_data is not always a MpegTSContext, it can be
RTSPState when decoding a RTP stream. So it is necessary to pass
MpegTSContext pointer explicitly.

This fixes memory corruption from bug #3721 (RTSPState is smaller than
MpegTSContext thus innocent memory gets overwritten).

Signed-off-by: Alexander V. Lukyanov <lavv17f at gmail.com>
Reviewed-by: Marton Balint <cus at passwd.hu>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8635954335061ea4c03d3f492b7bc803ea740d9c
---

 libavformat/mpegts.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 3434341..d03fe2f 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -357,10 +357,9 @@ static int discard_pid(MpegTSContext *ts, unsigned int pid)
  *  Assemble PES packets out of TS packets, and then call the "section_cb"
  *  function when they are complete.
  */
-static void write_section_data(AVFormatContext *s, MpegTSFilter *tss1,
+static void write_section_data(MpegTSContext *ts, MpegTSFilter *tss1,
                                const uint8_t *buf, int buf_size, int is_start)
 {
-    MpegTSContext *ts = s->priv_data;
     MpegTSSectionFilter *tss = &tss1->u.section_filter;
     int len;
 
@@ -2010,7 +2009,6 @@ static int parse_pcr(int64_t *ppcr_high, int *ppcr_low,
 /* handle one TS packet */
 static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
 {
-    AVFormatContext *s = ts->stream;
     MpegTSFilter *tss;
     int len, pid, cc, expected_cc, cc_ok, afc, is_start, is_discontinuity,
         has_adaptation, has_payload;
@@ -2084,7 +2082,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
                 return 0;
             if (len && cc_ok) {
                 /* write remaining section bytes */
-                write_section_data(s, tss,
+                write_section_data(ts, tss,
                                    p, len, 0);
                 /* check whether filter has been closed */
                 if (!ts->pids[pid])
@@ -2092,12 +2090,12 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
             }
             p += len;
             if (p < p_end) {
-                write_section_data(s, tss,
+                write_section_data(ts, tss,
                                    p, p_end - p, 1);
             }
         } else {
             if (cc_ok) {
-                write_section_data(s, tss,
+                write_section_data(ts, tss,
                                    p, p_end - p, 0);
             }
         }

More information about the ffmpeg-cvslog mailing list