This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new dbd495f066 avformat/vobsub: reuse subtitle streams and bound the
stream count
dbd495f066 is described below
commit dbd495f066a85ba96b17433f4306582aa37c3951
Author: Pavel Kohout <[email protected]>
AuthorDate: Mon Jun 29 23:30:41 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Thu Jul 2 14:38:22 2026 +0000
avformat/vobsub: reuse subtitle streams and bound the stream count
Fixes: heap buffer overflow
Fixes: lqaO5R1BaZGO
Fixes: dbfe61100b (avformat/vobsub: fix several issues.)
Found-by: Pavel Kohout (Aisle Research)
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavformat/mpeg.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
index ff5ced8107..29abe329b9 100644
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -841,6 +841,20 @@ static int vobsub_read_header(AVFormatContext *s)
}
if (!st || st->id != stream_id) {
+ st = NULL;
+ for (i = 0; i < s->nb_streams; i++) {
+ if (s->streams[i]->id == stream_id) {
+ st = s->streams[i];
+ break;
+ }
+ }
+ }
+ if (!st) {
+ if (s->nb_streams >= FF_ARRAY_ELEMS(vobsub->q)) {
+ av_log(s, AV_LOG_ERROR, "Maximum number of subtitle
streams reached\n");
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
st = avformat_new_stream(s, NULL);
if (!st) {
ret = AVERROR(ENOMEM);
@@ -865,14 +879,14 @@ static int vobsub_read_header(AVFormatContext *s)
timestamp = (hh*3600LL + mm*60LL + ss) * 1000LL + ms + delay;
timestamp = av_rescale_q(timestamp, av_make_q(1, 1000),
st->time_base);
- sub = ff_subtitles_queue_insert(&vobsub->q[s->nb_streams - 1], "",
0, 0);
+ sub = ff_subtitles_queue_insert(&vobsub->q[st->index], "", 0, 0);
if (!sub) {
ret = AVERROR(ENOMEM);
goto end;
}
sub->pos = pos;
sub->pts = timestamp;
- sub->stream_index = s->nb_streams - 1;
+ sub->stream_index = st->index;
} else if (!strncmp(line, "alt:", 4)) {
const char *p = line + 4;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]