On 24.05.2015 19:23, Michael Niedermayer wrote:
> On Sun, May 24, 2015 at 03:21:25PM +0200, Andreas Cadhalpun wrote:
>> mov.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>> 199a14800f0d79aa85b8dc01c2c1dc2743c3fb0d
>> 0001-mov-check-for-negative-stsc-count.patch
>> From 1d66ce9f96ccd4e130837a5e38885109f26bb4f6 Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
>> Date: Sun, 24 May 2015 15:14:23 +0200
>> Subject: [PATCH] mov: check for negative stsc count
>>
>> A negative stsc count can cause the mov demuxer to return a large
>> number of empty packets.
>
> ISO/IEC 14496-12:2012(E) says the field is unsigned so it cannot be
> negative
>
> 8.7.4.2 Syntax
> aligned(8) class SampleToChunkBox
> extends FullBox("stsc", version = 0, 0) {
> unsigned int(32) entry_count;
> for (i=1; i <= entry_count; i++) {
> unsigned int(32) first_chunk;
> unsigned int(32) samples_per_chunk;
> unsigned int(32) sample_description_index;
> }
> }
OK, but then the types of the members of MOVStsc and likely also MOVStts
are incorrectly int. The first attached patch changes that.
The second patch is another attempt at fixing the original problem.
Surely zero bytes_per_frame with non-zero samples_per_frame must be invalid,
or is it also allowed by the spec?
Best regards,
Andreas
>From 098f9f4a4f21e98236b2708810d2fa5d997301df Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Mon, 25 May 2015 16:26:33 +0200
Subject: [PATCH 1/2] isom: use uint32_t instead of int for members of MOVStts
and MOVStsc
This is specified in ISO/IEC 14496-12:2012(E) and they are used as
unsigned already.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/isom.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavformat/isom.h b/libavformat/isom.h
index 5d48989..7daba56 100644
--- a/libavformat/isom.h
+++ b/libavformat/isom.h
@@ -43,14 +43,14 @@ int ff_mov_lang_to_iso639(unsigned code, char to[4]);
*/
typedef struct MOVStts {
- int count;
- int duration;
+ uint32_t count;
+ uint32_t duration;
} MOVStts;
typedef struct MOVStsc {
- int first;
- int count;
- int id;
+ uint32_t first;
+ uint32_t count;
+ uint32_t id;
} MOVStsc;
typedef struct MOVElst {
--
2.1.4
>From 42c8b0c216b39fd2cb8b329669737ce771ecdd20 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Mon, 25 May 2015 17:17:39 +0200
Subject: [PATCH 2/2] mov: reject zero bytes_per_frame with non-zero
samples_per_frame
In this case the mov demuxer can return a large number of empty packets.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/mov.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index e32f7f4..0d50353 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2587,6 +2587,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
AVIndexEntry *e;
unsigned size, samples;
+ if (sc->samples_per_frame > 1 && !sc->bytes_per_frame) {
+ av_log(mov->fc, AV_LOG_ERROR,
+ "samples per frame %d, but zero bytes per frame\n",
+ sc->samples_per_frame);
+ return;
+ }
+
if (sc->samples_per_frame >= 160) { // gsm
samples = sc->samples_per_frame;
size = sc->bytes_per_frame;
--
2.1.4
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
