Michael Niedermayer: > On Fri, Mar 19, 2021 at 12:20:23AM +0100, Andreas Rheinhardt wrote: >> Michael Niedermayer: >>> Fixes: null pointer dereference >>> Fixes: >>> 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 >>> >>> Found-by: continuous fuzzing process >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >>> --- >>> libavformat/avidec.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/libavformat/avidec.c b/libavformat/avidec.c >>> index fa0599501a..48370fe5ce 100644 >>> --- a/libavformat/avidec.c >>> +++ b/libavformat/avidec.c >>> @@ -1288,7 +1288,7 @@ start_sync: >>> AVStream *st1 = s->streams[1]; >>> AVIStream *ast1 = st1->priv_data; >>> // workaround for broken small-file-bug402.avi >>> - if ( d[2] == 'w' && d[3] == 'b' >>> + if (ast1 && d[2] == 'w' && d[3] == 'b' >>> && n == 0 >>> && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO >>> && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO >>> >> How is this possible? After all, dv streams also have an AVIStream as > > The DV demuxer creates streams in dv_extract_audio_info() without a AVIStream >
That explains it. Thanks. Patch is fine by me, but I haven't looked at it in detail. But neither dv nor avi set the AVFMTCTX_NOHEADER flag, so adding streams later is an API violation. > >> priv_data; and only the very first stream can ever be a dv stream due to >> the check in line 605. > > I assume they are created after that check > > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
