[FFmpeg-trac] #7733(avformat:open): Segmentation faults and double-free using spdif muxer

Wed Feb 13 04:26:54 EET 2019

#7733: Segmentation faults and double-free using spdif muxer
-------------------------------------+------------------------------------
             Reporter:  barsnick     |                    Owner:
                 Type:  defect       |                   Status:  open
             Priority:  important    |                Component:  avformat
              Version:  git-master   |               Resolution:
             Keywords:  spdif crash  |               Blocked By:
             Blocking:               |  Reproduced by developer:  1
Analyzed by developer:  0            |
-------------------------------------+------------------------------------
Changes (by cehoyos):

 * status:  new => open
 * reproduced:  0 => 1
 * component:  undetermined => avformat
 * priority:  normal => important
 * version:  unspecified => git-master
 * keywords:   => spdif crash


Comment:

 Please test this patch:
 {{{
 diff --git a/libavformat/spdifenc.c b/libavformat/spdifenc.c
 index 9514ff8..4307942 100644
 --- a/libavformat/spdifenc.c
 +++ b/libavformat/spdifenc.c
 @@ -422,8 +422,13 @@ static int spdif_header_truehd(AVFormatContext *s,
 AVPacket *pkt)

      memcpy(&ctx->hd_buf[ctx->hd_buf_count * TRUEHD_FRAME_OFFSET -
 BURST_HEADER_SIZE + mat_code_length],
             pkt->data, pkt->size);
 -    memset(&ctx->hd_buf[ctx->hd_buf_count * TRUEHD_FRAME_OFFSET -
 BURST_HEADER_SIZE + mat_code_length + pkt->size],
 -           0, TRUEHD_FRAME_OFFSET - pkt->size - mat_code_length);
 +    if (ctx->hd_buf_count < 23) {
 +        memset(&ctx->hd_buf[ctx->hd_buf_count * TRUEHD_FRAME_OFFSET -
 BURST_HEADER_SIZE + mat_code_length + pkt->size],
 +               0, TRUEHD_FRAME_OFFSET - pkt->size - mat_code_length);
 +    } else {
 +        size_t padding = MAT_FRAME_SIZE - (ctx->hd_buf_count *
 TRUEHD_FRAME_OFFSET - BURST_HEADER_SIZE + pkt->size);
 +        memset(&ctx->hd_buf[MAT_FRAME_SIZE - padding], 0, padding);
 +    }

      if (++ctx->hd_buf_count < 24){
          ctx->pkt_offset = 0;
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/7733#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker