[FFmpeg-trac] #8652(avformat:new): Segmentation fault with HLS var_stream_map

FFmpeg trac at avcodec.org
Tue May 5 02:05:29 EEST 2020


#8652: Segmentation fault with HLS var_stream_map
-------------------------------------+-------------------------------------
             Reporter:  udyojiar     |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:  avformat
              Version:  git-master   |               Resolution:
             Keywords:  hls crash    |               Blocked By:
  SIGSEGV                            |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------

Comment (by mkver):

 Please test this patch:

 {{{
 From 1ec665efd699a5915d5b2028c5971176e3b6c1bd Mon Sep 17 00:00:00 2001
 From: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
 Date: Tue, 5 May 2020 00:40:44 +0200
 Subject: [PATCH] avformat/hlsenc: Improve checks for invalid stream
 mappings

 The mapping of streams to the various variant streams to be created by
 the HLS muxer is roughly as follows: Space and tab separate variant
 stream group maps while the entries in each variant stream group map are
 separated by ','.

 The parsing process of each variant stream group proceeded as follows:
 At first the number of occurences of "a:", "v:" and "s:" in each variant
 stream group is calculated so that one can can allocate an array of
 streams with this number of entries. Then each entry is checked and the
 check for stream numbers was deficient: It did check that there is a
 number beginning after the ":", but it did not check that the number
 extends until the next "," (or until the end).

 This means that an invalid variant stream group like v:0_v:1 will not be
 rejected; the problem is that the variant stream in this example is
 supposed to have two streams associated with it (because it contains two
 "v:"), yet only one stream is actually associated with it (because there
 is no ',' to start a second stream specifier). This discrepancy led to
 segfaults (null pointer dereferencing) in the rest of the code (when the
 nonexistent second stream associated to the variant stream was involved.

 Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
 ---
  libavformat/hlsenc.c | 14 +++++++++-----
  1 file changed, 9 insertions(+), 5 deletions(-)

 diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
 index 008a3f3947..843b906203 100644
 --- a/libavformat/hlsenc.c
 +++ b/libavformat/hlsenc.c
 @@ -1867,7 +1867,7 @@ fail:

  static int get_nth_codec_stream_index(AVFormatContext *s,
                                        enum AVMediaType codec_type,
 -                                      int stream_id)
 +                                      int64_t stream_id)
  {
      unsigned int stream_index, cnt;
      if (stream_id < 0 || stream_id > s->nb_streams - 1)
 @@ -1950,6 +1950,8 @@ static int
 parse_variant_stream_mapstring(AVFormatContext *s)

          nb_streams = 0;
          while (keyval = av_strtok(varstr, ",", &saveptr2)) {
 +            int64_t num;
 +            char *end;
              varstr = NULL;
              if (av_strstart(keyval, "language:", &val)) {
                  av_free(vs->language);
 @@ -1998,10 +2000,12 @@ static int
 parse_variant_stream_mapstring(AVFormatContext *s)
                  return AVERROR(EINVAL);
              }

 -            stream_index = -1;
 -            if (av_isdigit(*val))
 -                stream_index = get_nth_codec_stream_index (s, codec_type,
 -                                                           atoi(val));
 +            num = strtoll(val, &end, 10);
 +            if (!av_isdigit(*val) || *end != '\0' || val == end) {
 +                av_log(s, AV_LOG_ERROR, "Invalid stream number: '%s'\n",
 val);
 +                return AVERROR(EINVAL);
 +            }
 +            stream_index = get_nth_codec_stream_index(s, codec_type,
 num);

              if (stream_index >= 0 && nb_streams < vs->nb_streams) {
                  for (i = 0; nb_streams > 0 && i < nb_streams; i++) {
 --
 2.20.1
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8652#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list