[FFmpeg-trac] #8652(avformat:new): Segmentation fault with HLS var_stream_map
FFmpeg
trac at avcodec.org
Tue May 5 02:05:29 EEST 2020
#8652: Segmentation fault with HLS var_stream_map
-------------------------------------+-------------------------------------
Reporter: udyojiar | Owner:
Type: defect | Status: new
Priority: important | Component: avformat
Version: git-master | Resolution:
Keywords: hls crash | Blocked By:
SIGSEGV |
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Comment (by mkver):
Please test this patch:
{{{
From 1ec665efd699a5915d5b2028c5971176e3b6c1bd Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date: Tue, 5 May 2020 00:40:44 +0200
Subject: [PATCH] avformat/hlsenc: Improve checks for invalid stream
mappings
The mapping of streams to the various variant streams to be created by
the HLS muxer is roughly as follows: Space and tab separate variant
stream group maps while the entries in each variant stream group map are
separated by ','.
The parsing process of each variant stream group proceeded as follows:
At first the number of occurences of "a:", "v:" and "s:" in each variant
stream group is calculated so that one can can allocate an array of
streams with this number of entries. Then each entry is checked and the
check for stream numbers was deficient: It did check that there is a
number beginning after the ":", but it did not check that the number
extends until the next "," (or until the end).
This means that an invalid variant stream group like v:0_v:1 will not be
rejected; the problem is that the variant stream in this example is
supposed to have two streams associated with it (because it contains two
"v:"), yet only one stream is actually associated with it (because there
is no ',' to start a second stream specifier). This discrepancy led to
segfaults (null pointer dereferencing) in the rest of the code (when the
nonexistent second stream associated to the variant stream was involved.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
---
libavformat/hlsenc.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
index 008a3f3947..843b906203 100644
--- a/libavformat/hlsenc.c
+++ b/libavformat/hlsenc.c
@@ -1867,7 +1867,7 @@ fail:
static int get_nth_codec_stream_index(AVFormatContext *s,
enum AVMediaType codec_type,
- int stream_id)
+ int64_t stream_id)
{
unsigned int stream_index, cnt;
if (stream_id < 0 || stream_id > s->nb_streams - 1)
@@ -1950,6 +1950,8 @@ static int
parse_variant_stream_mapstring(AVFormatContext *s)
nb_streams = 0;
while (keyval = av_strtok(varstr, ",", &saveptr2)) {
+ int64_t num;
+ char *end;
varstr = NULL;
if (av_strstart(keyval, "language:", &val)) {
av_free(vs->language);
@@ -1998,10 +2000,12 @@ static int
parse_variant_stream_mapstring(AVFormatContext *s)
return AVERROR(EINVAL);
}
- stream_index = -1;
- if (av_isdigit(*val))
- stream_index = get_nth_codec_stream_index (s, codec_type,
- atoi(val));
+ num = strtoll(val, &end, 10);
+ if (!av_isdigit(*val) || *end != '\0' || val == end) {
+ av_log(s, AV_LOG_ERROR, "Invalid stream number: '%s'\n",
val);
+ return AVERROR(EINVAL);
+ }
+ stream_index = get_nth_codec_stream_index(s, codec_type,
num);
if (stream_index >= 0 && nb_streams < vs->nb_streams) {
for (i = 0; nb_streams > 0 && i < nb_streams; i++) {
--
2.20.1
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8652#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list