Skip to content

GitLab

Switch branch/tag
  1. 19 Oct, 2021 3 commits
    • Andreas Rheinhardt's avatar
      avformat/mpegenc: Ensure packet queue stays valid · 010281ed
      Andreas Rheinhardt authored 
      
The MPEG-PS muxer uses a custom queue of custom packets. To keep track
of it, it has a pointer (named predecode_packet) to the head of the
queue and a pointer to where the next packet is to be added (it points
to the next-pointer of the last element of the queue); furthermore,
there is also a pointer that points into the queue (called premux_packet).

The exact behaviour was as follows: If premux_packet was NULL when a
packet is received, it is taken to mean that the old queue is empty and
a new queue is started. premux_packet will point to the head of said
queue and the next_packet-pointer points to its next pointer. If
predecode_packet is NULL, it will also made to point to the newly
allocated element.

But if premux_packet is NULL and predecode_packet is not, then there
will be two queues with head elements premux_packet and
predecode_packet. Yet only elements reachable from predecode_packet are
ever freed, so the premux_packet queue leaks.
Worse yet, when the predecode_packet queue will be eventually exhausted,
predecode_packet will be made to point into the other queue and when
predecode_packet will be freed, the next pointer of the preceding
element of the queue will still point to the element just freed. This
element might very well be still reachable from premux_packet which
leads to use-after-frees lateron. This happened in the tickets mentioned
below.

Fix this by never creating two queues in the first place by checking for
predecode_packet to know whether the queue is empty. If premux_packet is
NULL, then it is set to the newly allocated element of the queue.

Fixes tickets #6887, #8188 and #8266.
Signed-off-by: default avatarAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cfce1644)
      010281ed
    • Andreas Rheinhardt's avatar
      avformat/movenc: Fix segfault when remuxing rtp hint stream · f7c9b1ed
      Andreas Rheinhardt authored 
      
When remuxing an rtp hint stream (or any stream with the tag "rtp "),
the mov muxer treats this as one of the rtp hint tracks it creates
internally when ordered to do so; yet this track lacks the
AVFormatContext for the hinting rtp muxer, leading to segfaults in
mov_write_udta_sdp() if a "trak" atom is written for this stream; if not,
the stream's codecpar is freed by mov_free() as if the mov muxer owned
it (it does for the internally created "rtp " tracks), but without
resetting st->codecpar, leading to double-frees lateron. This commit
therefore ignores said tag which makes rtp hint streams unremuxable.

This fixes tickets #8181 and #8186.
Signed-off-by: default avatarAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 22c3cd17)
      f7c9b1ed
    • Baptiste Coudurier's avatar
      avformat/mxfenc: fix index byte count in partition header · 3c4e1a56
      Baptiste Coudurier authored
      3c4e1a56
  3. 17 Oct, 2021 1 commit
  5. 16 Oct, 2021 7 commits
  7. 07 Oct, 2021 1 commit
  9. 06 Oct, 2021 13 commits
  11. 13 Sep, 2021 15 commits