aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Wolenetz <wolenetz@chromium.org>2018-03-02 15:12:41 -0800
committerMichael Niedermayer <michael@niedermayer.cc>2018-03-05 01:16:34 +0100
commit133ddd38750acc01d0a9599d5b31375d33798d67 (patch)
tree9defcb16b64d554ed1edbc25f8cdcdf75f654968
parent0ec7eb930520b21b9cda34809378b0a8ca3a46e2 (diff)
downloadffmpeg-133ddd38750acc01d0a9599d5b31375d33798d67.tar.gz
avformat/mov: Initialize a potential gap in ctts_data in mov_build_index
mov_read_ctts ignores ctts entries having count <= 0. Generally, the aggregate of all ctts entries' count fields resulting from mov_read_ctts can be less than the corresponding sample_count. mov_build_index attempts to normalize any existing ctts_data counts to be 1, to make a 1-1 mapping of a ctts_data entry to a sample. That 1-1 mapping left a tail of uninitialized ctts_data entries when the aggregate, normalized ctts_count < sample_count. Even more generally, later usage of ctts_data may depend on the entire ctts_allocated_size having been initialized. This change memsets the entire allocation of the normalized ctts_data in mov_build_index, to prevent use of uninitialized data later. BUG=816787 Change-Id: I7fd7db255e3aeed076ee32c90cb2df211741c052 Reviewed-on: https://chromium-review.googlesource.com/947110 Reviewed-by: Xiaohan Wang <xhwang@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavformat/mov.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 00b3b25944..95b9cd3f8b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3747,6 +3747,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
av_free(ctts_data_old);
return;
}
+
+ memset((uint8_t*)(sc->ctts_data), 0, sc->ctts_allocated_size);
+
for (i = 0; i < ctts_count_old &&
sc->ctts_count < sc->sample_count; i++)
for (j = 0; j < ctts_data_old[i].count &&