The code crashes and neither the authors nor anyone else did fix this We cannot release code which crashes, so if noone fixes it, the only option left is to disable or revert. Revert is difficult as there are multiple commits afterwards
Fixes: 22082/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5688619118624768 Fixes: crash from V-codecs/Theora/theora_testsuite_broken/multi2.ogg Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/oggdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 9eb45499c6..1f3ed8024c 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -229,6 +229,15 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, char *magic, /* We only have a single stream anyway, so if there's a new stream with * a different codec just replace it */ os = &ogg->streams[0]; + if (os->codec != codec) { + /* + * The codec change code from 8296443a70f052a6f5c9a867d28b83a5eb7d304d and surounding commits + * crashes with out of array accesses + * testcase is https://samples.ffmpeg.org/V-codecs/Theora/theora_testsuite_broken/multi2.ogg + */ + return AVERROR_PATCHWELCOME; + } + os->serial = serial; os->codec = codec; os->serial = serial; -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
