xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/mpegts: Dont assume fc->priv_data is a MpegTSContext

Browse Source 
Fixes: out of array access
Fixes: 508365271/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6219535958212608

Regression since: b9cb948ec1

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-05-08 21:19:14 +02:00
committed by michaelni
parent b2dfc14276
commit 188461be10
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavformat/mpegts.c
+5 -3
View File
@@ -290,6 +290,8 @@ EXTERN const FFInputFormat ff_mpegts_demuxer;
static struct Program * get_program(MpegTSContext *ts, unsigned int programid)
{
int i;
if (!ts)
return NULL;
for (i = 0; i < ts->nb_prg; i++) {
if (ts->prg[i].id == programid) {
return &ts->prg[i];
@@ -1848,9 +1850,9 @@ static const uint8_t opus_channel_map[8][8] = {
};
static int parse_mpeg2_extension_descriptor(AVFormatContext *fc, AVStream *st, int prg_id,
const uint8_t **pp, const uint8_t *desc_end)
const uint8_t **pp, const uint8_t *desc_end,
MpegTSContext *ts)
{
MpegTSContext *ts = fc->priv_data;
int ext_tag = get8(pp, desc_end);
switch (ext_tag) {
@@ -2448,7 +2450,7 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type
break;
case EXTENSION_DESCRIPTOR: /* descriptor extension */
{
int ret = parse_mpeg2_extension_descriptor(fc, st, prg_id, pp, desc_end);
int ret = parse_mpeg2_extension_descriptor(fc, st, prg_id, pp, desc_end, ts);
if (ret < 0)
return ret;