github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avformat/mpegts: remove JPEG-XS early return on invalid header_size

Browse Source 
new_pes_packet() moves a buffer with pkt->buf = pes->buffer before
JPEG-XS validation. If header_size > pkt->size, an early return leaves
pes->buffer as a stale alias of pkt->buf with refcount 1. Later,
mpegts_read_packet() calls av_packet_unref(), freeing the buffer
through pkt->buf. The flush loop then re-enters new_pes_packet() and
dereferences the dangling pes->buffer; a second path hits it via
av_buffer_unref() in handle_packets() after a seek.

Drop the early return. The packet is delivered with AV_PKT_FLAG_CORRUPT
set, matching the PES-size-mismatch case above, and the function falls
through to the normal cleanup path. The else guards the header trim so
pkt->data/pkt->size stay valid for the memset.

Fixes: use after free
Fixes regression since 16f89d342e.

Found-by: Nicholas Carlini <nicholas@carlini.com>
This commit is contained in:
Nicholas Carlini
2026-03-14 15:39:51 +00:00
committed by michaelni
parent 770bc1c23a
commit 55bf0e6cd5
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libavformat/mpegts.c
View File

@@ -1041,10 +1041,10 @@ static int new_pes_packet(PESContext *pes, AVPacket *pkt)
"Invalid JPEG-XS header size %"PRIu32" > packet size %d\n",
header_size, pkt->size);
pes->flags |= AV_PKT_FLAG_CORRUPT;
return AVERROR_INVALIDDATA;
} else {
pkt->data += header_size;
pkt->size -= header_size;
}
pkt->data += header_size;
pkt->size -= header_size;
}
memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);