[FFmpeg-devel] [PATCH 2/6] Fixed segfault on corrupted sega streams in the demuxer.

Laurent Aimar fenrir at elivagar.org
Mon Sep 12 21:21:50 CEST 2011


On Sun, Sep 11, 2011 at 08:37:18PM +0200, Michael Niedermayer wrote:
> On Sun, Sep 11, 2011 at 07:17:41PM +0200, fenrir at elivagar.org wrote:
> > From: Laurent Aimar <fenrir at videolan.org>
> > 
> > ---
> >  libavformat/segafilm.c |    4 +++-
> >  1 files changed, 3 insertions(+), 1 deletions(-)
> > 
> > diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
> > index 7a84daf..49b23fc 100644
> > --- a/libavformat/segafilm.c
> > +++ b/libavformat/segafilm.c
> > @@ -176,6 +176,8 @@ static int film_read_header(AVFormatContext *s,
> >      if(film->sample_count >= UINT_MAX / sizeof(film_sample))
> >          return -1;
> >      film->sample_table = av_malloc(film->sample_count * sizeof(film_sample));
> > +    if (!film->sample_table)
> > +        return AVERROR(ENOMEM);
> >  
> >      for(i=0; i<s->nb_streams; i++)
> >          av_set_pts_info(s->streams[i], 33, 1, film->base_clock);
> 
> > @@ -199,7 +201,7 @@ static int film_read_header(AVFormatContext *s,
> >              if (film->audio_type == CODEC_ID_ADPCM_ADX)
> >                  audio_frame_counter += (film->sample_table[i].sample_size * 32 /
> >                      (18 * film->audio_channels));
> > -            else
> > +            else if (film->audio_type != CODEC_ID_NONE)
> >                  audio_frame_counter += (film->sample_table[i].sample_size /
> >                      (film->audio_channels * film->audio_bits / 8));
> 
> I suspect this is supposed to avoid a division by 0, if so this seems
> the wrong thing to check as it seems audio_channels still can be 0

I have splitted the patch into 2, fixed the other division by 0 and added
another allocation failure check.

-- 
fenrir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Check-for-memory-allocation-failures-in-segafilm-dem.patch
Type: text/x-diff
Size: 1508 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110912/34d3554a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Fix-potential-division-by-0-on-corrupted-segafilm-st.patch
Type: text/x-diff
Size: 1783 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110912/34d3554a/attachment-0001.bin>


More information about the ffmpeg-devel mailing list