[FFmpeg-devel] [PR] avformat/mpegts: Dont assume fc->priv_data is a MpegTSContext (PR #23052)

Fri, 08 May 2026 13:13:33 -0700 

PR #23052 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23052
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23052.patch

Fixes: out of array access
Fixes: 
508365271/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6219535958212608

Regression since: b9cb948ec1

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>


>From 01cce5a2791ddee5b3ea445a5762c622e08d753c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Fri, 8 May 2026 21:19:14 +0200
Subject: [PATCH] avformat/mpegts: Dont assume fc->priv_data is a MpegTSContext

Fixes: out of array access
Fixes: 
508365271/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6219535958212608

Regression since: b9cb948ec1

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavformat/mpegts.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index d62470592c..210635c9c9 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -290,6 +290,8 @@ EXTERN const FFInputFormat ff_mpegts_demuxer;
 static struct Program * get_program(MpegTSContext *ts, unsigned int programid)
 {
     int i;
+    if (!ts)
+        return NULL;
     for (i = 0; i < ts->nb_prg; i++) {
         if (ts->prg[i].id == programid) {
             return &ts->prg[i];
@@ -1848,9 +1850,9 @@ static const uint8_t opus_channel_map[8][8] = {
 };
 
 static int parse_mpeg2_extension_descriptor(AVFormatContext *fc, AVStream *st, 
int prg_id,
-                                            const uint8_t **pp, const uint8_t 
*desc_end)
+                                            const uint8_t **pp, const uint8_t 
*desc_end,
+                                            MpegTSContext *ts)
 {
-    MpegTSContext *ts = fc->priv_data;
     int ext_tag = get8(pp, desc_end);
 
     switch (ext_tag) {
@@ -2448,7 +2450,7 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, 
AVStream *st, int stream_type
         break;
     case EXTENSION_DESCRIPTOR: /* descriptor extension */
         {
-            int ret = parse_mpeg2_extension_descriptor(fc, st, prg_id, pp, 
desc_end);
+            int ret = parse_mpeg2_extension_descriptor(fc, st, prg_id, pp, 
desc_end, ts);
 
             if (ret < 0)
                 return ret;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to