Opened 6 years ago

Closed 6 years ago

#4456 closed defect (invalid)

unsafe use of avio_r*() functions could cause demuxers into wrong state

Reported by: bbcallen Owned by:
Priority: normal Component: avformat
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no


Many demuxers are parsing frames by using
avio_r*() functions without checking EOF/error

Take libavformat/flvdec.c as an example:
(Line 903):

// 1. return 0 for EOF/Error
// 2. mark s->eof_reached to 1, so far, so good.
size = avio_rb32(s->pb); 

// 1. make a successful seek to the wrong place
// 2. reset s->eof_reached to 0
avio_seek(s->pb, fsize - 3 - size, SEEK_SET);

// continue to read at wrong place.
if (size == avio_rb24(s->pb) + 11) {

Change History (4)

comment:1 Changed 6 years ago by bbcallen

  • Component changed from undetermined to avformat
  • Version changed from unspecified to git-master

comment:2 Changed 6 years ago by heleppkes

"Generic" error reports are unlikely to get any attention.

If you think there is an actual error in a demuxer, you should point out which demuxer and ideally a file with which it can be reproduced.

comment:3 Changed 6 years ago by bbcallen

Thanks for your advise.

Actually, too many 'errors' in different demuxers to fix them once and for all. At least, flv and mov in my situation.

I'll submit a patch to ffmpeg-devel as a basis of discuss.

comment:4 Changed 6 years ago by michael

  • Resolution set to invalid
  • Status changed from new to closed

Iam closing this as its not a specific bug that a human could fix. Aka this is way to broad and generic. Please open separate tickets or submit patches, one per issue if there are issues remaining after your patches

Note: See TracTickets for help on using tickets.