On 18.10.2016 23:46, Hendrik Leppkes wrote:
> On Tue, Oct 18, 2016 at 11:26 PM, Andreas Cadhalpun
> <andreas.cadhal...@googlemail.com> wrote:
>> On 18.10.2016 22:56, Michael Niedermayer wrote:
>>> On Tue, Oct 18, 2016 at 10:31:37PM +0200, Andreas Cadhalpun wrote:
>>>> Nothing guarantees to set request_probe to -1, so this assert can be
>>>> triggered, e.g. if st->probe_packets is 0.
>>>
>>> probe_codec() called with NULL should cause
>>> st->probe_packets = 0
>>> st->request_probe = -1;
>>
>> Yes, but request_probe can be change to a different value later on,
>> e.g. in ff_parse_mpeg2_descriptor:
>>
>> int ff_read_packet(AVFormatContext *s, AVPacket *pkt)
>> {
>> [...]
>> if (s->internal->raw_packet_buffer_remaining_size <= 0)
>> if ((err = probe_codec(s, st, NULL)) < 0) // probe_packets =
>> 0, request_probe = -1
>> return err;
>> [...]
>> ret = s->iformat->read_packet(s, pkt);
>> ~~~
>> ff_parse_mpeg2_descriptor([...])
>> {
>> [...]
>> switch (desc_tag) {
>> [...]
>> case 0x05: /* registration descriptor */
>> [...]
>> st->request_probe = 50;
>> [...]
>> }
>> ~~~
>> [...]
>> if (st->probe_packets) // still 0
>> if ((err = probe_codec(s, st, NULL)) < 0)
>> return err;
>> av_assert0(st->request_probe <= 0); // now 50
>> SIGABRT
>>
>
> Can you actually make that happen, or is that just speculation?
Yes, at least in ffmpeg 3.1.4 and master with commit 04fa20d reverted.
(I do fuzz-testing, not speculating.)
Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
