On Tue, Apr 30, 2024 at 06:27:23PM -0300, James Almer wrote: > On 4/29/2024 9:48 PM, Michael Niedermayer wrote: > > Fixes: division by 0 > > Fixes: decoder modifying demuxer channels on failure > > Fixes: -sseof -5 -i zgclab/ffmpeg_crash/poc3 > > > > Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavutil/opt.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/libavutil/opt.c b/libavutil/opt.c > > index ecbf7efe5fb..24c08e4bc06 100644 > > --- a/libavutil/opt.c > > +++ b/libavutil/opt.c > > @@ -132,9 +132,11 @@ static void opt_free_elem(const AVOption *o, void *ptr) > > av_dict_free((AVDictionary **)ptr); > > break; > > - case AV_OPT_TYPE_CHLAYOUT: > > + case AV_OPT_TYPE_CHLAYOUT: { > > + int nb_channels = ((AVChannelLayout *)ptr)->nb_channels; > > av_channel_layout_uninit((AVChannelLayout *)ptr); > > - break; > > + ((AVChannelLayout *)ptr)->nb_channels = nb_channels; > > + break;} > > default: > > break; > > A little bit of context would be helpful here. What's using nb_channels > after av_opt_free was called and where?
demuxer sets nb_channels find stream info copies codec params to context find stream info tries opening decoder decoder, refuses, and opt_free_elem() is called on cleanup context now has 0 channels context gets copied into params of demuxer demuxer goes like i have set the channels to a non zero value let me devide by them and oops there is more than one position in this chain of events this can be fixed thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Observe your enemies, for they first find out your faults. -- Antisthenes
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".