[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/0.10 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [39a6977354de23d313d027b9f604b0a5da0f55d7] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=39a6977354de23d313d027b9f604b0a5da0f55d7
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 484f8c1..65aecb0 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1229,13 +1229,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/2.3 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [a6f808b36ae87cda814f08685f063ca56c8023a4] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a6f808b36ae87cda814f08685f063ca56c8023a4
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index ea0b5ab..9e5faba 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1471,13 +1471,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/2.1 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [68b6a5efbfd530e705a4b1e91da38f1350406264] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=68b6a5efbfd530e705a4b1e91da38f1350406264
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 6552efe..884960b 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1425,13 +1425,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/1.1 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [437e50b3d65fecd374b56c39c55bc6d340004502] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=437e50b3d65fecd374b56c39c55bc6d340004502
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 5f5ab91..aabf4e7 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1346,13 +1346,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/2.4 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [95c298b125022779bef5ec261c3118028fff4750] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95c298b125022779bef5ec261c3118028fff4750
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e3cd1e4..26717df 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1412,13 +1412,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/1.2 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [084102cd47ca89b79145b5cde5be97aa8a2dc118] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=084102cd47ca89b79145b5cde5be97aa8a2dc118
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 767fa5e..1535071 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1362,13 +1362,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/2.5 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [f7b536665706b5cb941b15abafd28f67ae2b0604] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f7b536665706b5cb941b15abafd28f67ae2b0604
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index c81b5a04..e9ba1e9 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1414,13 +1414,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: release/2.2 | wm4 | Sat Dec 6
16:53:30 2014 +0100| [9a02be31225bef65de8f22fe56e1e0063e85126e] | committer:
Michael Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a02be31225bef65de8f22fe56e1e0063e85126e
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 37e0d19..cc6450e 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1427,13 +1427,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: fix handling of recursive SeekHead elements
ffmpeg | branch: master | wm4 | Sat Dec 6 16:53:30
2014 +0100| [6551acab6877addae815decd02aeca33ba4990c8] | committer: Michael
Niedermayer
avformat/matroskadec: fix handling of recursive SeekHead elements
When matroska_execute_seekhead() is called, it goes through the list of
seekhead entries and attempts to read elements not read yet. When doing
this, the parser can find further SeekHead elements, and will extend the
matroska->seekhead list. This can lead to a (practically) infinite loop
with certain broken files. (Maybe it can happen even with valid files.
The demuxer doesn't seem to check correctly whether an element has
already been read.)
Fix this by ignoring elements that were added to the seekhead field
during executing seekhead entries.
This does not fix the possible situation when multiple SeekHead elements
after the file header (i.e. occur after the "before_pos" file position)
point to the same elements. These elements will probably be parsed
multiple times, likely leading to bugs.
Fixes ticket #4162.
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6551acab6877addae815decd02aeca33ba4990c8
---
libavformat/matroskadec.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index c81b5a04..e9ba1e9 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1414,13 +1414,17 @@ static void
matroska_execute_seekhead(MatroskaDemuxContext *matroska)
EbmlList *seekhead_list = &matroska->seekhead;
int64_t before_pos = avio_tell(matroska->ctx->pb);
int i;
+int nb_elem;
// we should not do any seeking in the streaming case
if (!matroska->ctx->pb->seekable ||
(matroska->ctx->flags & AVFMT_FLAG_IGNIDX))
return;
-for (i = 0; i < seekhead_list->nb_elem; i++) {
+// do not read entries that are added while parsing seekhead entries
+nb_elem = seekhead_list->nb_elem;
+
+for (i = 0; i < nb_elem; i++) {
MatroskaSeekhead *seekhead = seekhead_list->elem;
if (seekhead[i].pos <= before_pos)
continue;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
