Opened 6 years ago

Closed 6 years ago

#4456 closed defect (invalid)

unsafe use of avio_r*() functions could cause demuxers into wrong state

Reported by: bbcallen Owned by:
Priority: normal Component: avformat
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Many demuxers are parsing frames by using
avio_r*() functions without checking EOF/error

Take libavformat/flvdec.c as an example:
(Line 903):

// 1. return 0 for EOF/Error
// 2. mark s->eof_reached to 1, so far, so good.
size = avio_rb32(s->pb); 

// 1. make a successful seek to the wrong place
// 2. reset s->eof_reached to 0
avio_seek(s->pb, fsize - 3 - size, SEEK_SET);

// continue to read at wrong place.
if (size == avio_rb24(s->pb) + 11) {

Change History (4)

comment:1 by bbcallen, 6 years ago

Component: undeterminedavformat
Version: unspecifiedgit-master

comment:2 by Hendrik, 6 years ago

"Generic" error reports are unlikely to get any attention.

If you think there is an actual error in a demuxer, you should point out which demuxer and ideally a file with which it can be reproduced.

comment:3 by bbcallen, 6 years ago

Thanks for your advise.

Actually, too many 'errors' in different demuxers to fix them once and for all. At least, flv and mov in my situation.

I'll submit a patch to ffmpeg-devel as a basis of discuss.

comment:4 by Michael Niedermayer, 6 years ago

Resolution: invalid
Status: newclosed

Iam closing this as its not a specific bug that a human could fix. Aka this is way to broad and generic. Please open separate tickets or submit patches, one per issue if there are issues remaining after your patches

Note: See TracTickets for help on using tickets.