A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.
This can cause NULL pointer dereferencing in try_decode_frame.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavformat/ffmdec.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index afba905..ebf0ffd 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -330,6 +330,12 @@ static int ffm2_read_header(AVFormatContext *s)
codec = st->codec;
/* generic info */
codec->codec_id = avio_rb32(pb);
+ if ((int)codec->codec_id < 0) {
+ av_log(s, AV_LOG_ERROR, "Codec id is negative: %d\n",
+ codec->codec_id);
+ codec->codec_id = AV_CODEC_ID_NONE;
+ goto fail;
+ }
codec->codec_type = avio_r8(pb);
codec->bit_rate = avio_rb32(pb);
codec->flags = avio_rb32(pb);
@@ -516,6 +522,12 @@ static int ffm_read_header(AVFormatContext *s)
codec = st->codec;
/* generic info */
codec->codec_id = avio_rb32(pb);
+ if ((int)codec->codec_id < 0) {
+ av_log(s, AV_LOG_ERROR, "Codec id is negative: %d\n",
+ codec->codec_id);
+ codec->codec_id = AV_CODEC_ID_NONE;
+ goto fail;
+ }
codec->codec_type = avio_r8(pb); /* codec_type */
codec->bit_rate = avio_rb32(pb);
codec->flags = avio_rb32(pb);
--
2.6.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
