#4456: unsafe use of avio_r*() functions could cause demuxers into wrong state
-------------------------------------+-------------------------------------
Reporter: bbcallen | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Many demuxers are parsing frames by using
avio_r*() functions without checking EOF/error
Take libavformat/flvdec.c as an example:
(Line 903):
{{{
// 1. return 0 for EOF/Error
// 2. mark s->eof_reached to 1, so far, so good.
size = avio_rb32(s->pb);
// 1. make a successful seek to the wrong place
// 2. reset s->eof_reached to 0
avio_seek(s->pb, fsize - 3 - size, SEEK_SET);
// continue to read at wrong place.
if (size == avio_rb24(s->pb) + 11) {
...
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/4456>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
http://avcodec.org/mailman/listinfo/ffmpeg-trac
