This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new dbd495f066 avformat/vobsub: reuse subtitle streams and bound the 
stream count
dbd495f066 is described below

commit dbd495f066a85ba96b17433f4306582aa37c3951
Author:     Pavel Kohout <[email protected]>
AuthorDate: Mon Jun 29 23:30:41 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Thu Jul 2 14:38:22 2026 +0000

    avformat/vobsub: reuse subtitle streams and bound the stream count
    
    Fixes: heap buffer overflow
    Fixes: lqaO5R1BaZGO
    Fixes: dbfe61100b (avformat/vobsub: fix several issues.)
    Found-by: Pavel Kohout (Aisle Research)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/mpeg.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
index ff5ced8107..29abe329b9 100644
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -841,6 +841,20 @@ static int vobsub_read_header(AVFormatContext *s)
             }
 
             if (!st || st->id != stream_id) {
+                st = NULL;
+                for (i = 0; i < s->nb_streams; i++) {
+                    if (s->streams[i]->id == stream_id) {
+                        st = s->streams[i];
+                        break;
+                    }
+                }
+            }
+            if (!st) {
+                if (s->nb_streams >= FF_ARRAY_ELEMS(vobsub->q)) {
+                    av_log(s, AV_LOG_ERROR, "Maximum number of subtitle 
streams reached\n");
+                    ret = AVERROR_INVALIDDATA;
+                    goto end;
+                }
                 st = avformat_new_stream(s, NULL);
                 if (!st) {
                     ret = AVERROR(ENOMEM);
@@ -865,14 +879,14 @@ static int vobsub_read_header(AVFormatContext *s)
             timestamp = (hh*3600LL + mm*60LL + ss) * 1000LL + ms + delay;
             timestamp = av_rescale_q(timestamp, av_make_q(1, 1000), 
st->time_base);
 
-            sub = ff_subtitles_queue_insert(&vobsub->q[s->nb_streams - 1], "", 
0, 0);
+            sub = ff_subtitles_queue_insert(&vobsub->q[st->index], "", 0, 0);
             if (!sub) {
                 ret = AVERROR(ENOMEM);
                 goto end;
             }
             sub->pos = pos;
             sub->pts = timestamp;
-            sub->stream_index = s->nb_streams - 1;
+            sub->stream_index = st->index;
 
         } else if (!strncmp(line, "alt:", 4)) {
             const char *p = line + 4;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to