On 24.05.2015 00:46, Michael Niedermayer wrote:
> On Sun, May 24, 2015 at 12:04:23AM +0200, Andreas Cadhalpun wrote:
>> + if (!sample->size) {
>> + av_log(s, AV_LOG_ERROR, "sample size is zero\n");
>> + return AVERROR_INVALIDDATA;
>> + }
>
> this would cause failure to demux future packets, i think its
> better to skip this but continue without failing
On 24.05.2015 09:21, Yusuke Nakamura wrote:
> 14496-12 does not prohibit sample_size = 0.
>
> See ISO/IEC 14496-12:2012 Corrected ver. 8.7.3.1 Definition.
>
> NOTE A sample size of zero is not prohibited in general, but it must be
> valid and defined for the coding
> system, as defined by the sample entry, that the sample belongs to.
OK, that was a bad idea.
Attached patch fixes the problem in a better way.
Best regards,
Andreas
>From 1d66ce9f96ccd4e130837a5e38885109f26bb4f6 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <[email protected]>
Date: Sun, 24 May 2015 15:14:23 +0200
Subject: [PATCH] mov: check for negative stsc count
A negative stsc count can cause the mov demuxer to return a large
number of empty packets.
Signed-off-by: Andreas Cadhalpun <[email protected]>
---
libavformat/mov.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index f1df6ce..08fea09 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2022,6 +2022,11 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
for (i = 0; i < entries && !pb->eof_reached; i++) {
sc->stsc_data[i].first = avio_rb32(pb);
sc->stsc_data[i].count = avio_rb32(pb);
+ if (sc->stsc_data[i].count < 0) {
+ av_log(c->fc, AV_LOG_ERROR, "negative stsc count %d\n",
+ sc->stsc_data[i].count);
+ return AVERROR_INVALIDDATA;
+ }
sc->stsc_data[i].id = avio_rb32(pb);
}
--
2.1.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
