rtmp_write is used both for writing outputs as a server. The
rt->listen flag determines which mode we're running in.
Previously, when running as a server, the message stream id would
always be set to 0 for media/metadata messages. This is surprising
given that we have both responded to "createStream()" with a value
of 1 and sent a "Stream Begin 1" to the client. Furthermore, some
client libraries (Red5) seem to trip up on receiving
"@setDataFrame" on stream 0 (and may be correct to assume that
this message would be sent on stream 1).
Forward errors from `avio_read` directly. When `avio_read` sees EOF before
expected bytes can be read, consistently return `AVERROR_INVALIDDATA`
We used to return `AVERROR(AVERROR_INVALIDDATA)` when failing to read
metadata block headers. `AVERROR_INVALIDDATA` is already negative, so
wrapping in `AVERROR` leads to double-negation.
We used to return `AVERROR(EIO)` when failing to read extended metadata.
However, many times, the IO-layer is not at fault, the input data is simply
corrupted (truncated), so we return `AVERROR_INVALIDDATA` here as well.
---
Tomas: changed to use AVERROR_EOF
Currently, a prematurely broken connection normally leads to the same
EOF, as a completed successful transfer. However, enabling reconnect
changes this logic, and leads to the return of EIO.
This patch unifies that logic, leading to the return of EIO for premature
disconnect, regardless of setting of "reconnect".
Theora signals "Output last frame again" with an empty packet.
To keep the behaviour of 18f24527eb of ignoring side data only packets, as
generated by the FLAC encoder to propagate updated extradata, also check for
pkt->side_data_size to choose wheter to mux the paket or not.
Fixes part of ticket #11451.
Signed-off-by: James Almer <jamrial@gmail.com>
If sc->tts_count is not 0, then the sample index has already been built.
Fixes: Null-dereference READ
Fixes: 396192874/clusterfuzz-testcase-minimized-audio_decoder_fuzzer-4589309789143040
Signed-off-by: James Almer <jamrial@gmail.com>
Some files keep extra metadata such as 'name' fields within udta, and
it is useful for Wine to access them with the "export_all" option so
they can then be exposed to Windows applications.
Signed-off-by: Rémi Bernon <rbernon@codeweavers.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
Using audio_substream_id for AVStream ids is not ideal give that in containers
like mp4, the IAMF structure is opaque to the outside and other streams may
share such id values.
Signed-off-by: James Almer <jamrial@gmail.com>
Currently when a Unix Domain Socket is used as input there is a loss
of data when data is consumed from the stream. Setting is_streamed to
true fixes this, since the unix domain socket is now treated like a
consumable stream.
Fixes: #9346
Signed-off-by: dank074 <torresefrain10@gmail.com>
Reviewed-by: Leo Izen <leo.izen@gmail.com>
This fix ensures that the loop stops early on EOF. The issue occurs
because mov_read_infe() performs a version check and skips unsupported
versions. The problem is that seeking within the stream clears the EOF
flag, causing avio_feof() to not function as expected. This is resolved
by moving the EOF check after reading the size and type, ensuring the
EOF flag is set when necessary.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 7803923888585309955 - -3407677434275325337 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 377736723/clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5052449500889088
Signed-off-by: James Almer <jamrial@gmail.com>
When running the cleanup in rtmp_close on failures in rtmp_open,
we can in rare cases end up using rt->playpath, assuming that it
is still set.
The crash could happen if we hit the fail codepath in rtmp_open
while publishing (rt->is_input == 0) with rt->state set to
a value > STATE_FCPUBLISH.
This would normally not happen while publishing; either we have
an error (and rt->state <= STATE_FCPUBLISH) or we reach
rt->state = STATE_PUBLISHING, and then we also return successfully
from rtmp_open.
The unexpected combination of states could happen if the server
responds with e.g. "NetStream.Play.Stop" while expecting
"NetStream.Publish.Start"; this sets rt->state to STATE_STOPPED,
which also fulfills the condition "> STATE_FCPUBLISH".
We don't need to free the rt->playpath/tcurl/flashver strings here;
they're handled via AVOption, and thus are freed automatically when
the protocol instance is freed (that's why they aren't freed
manually within the rtmp_close function either).
We also don't need to free the AVDictionary with options; it's
owned by the caller.
A smaller fix would be to just call rtmp_close before freeing
the strings and dictionary, but as we don't need to free them
at all, let's remove that redundant code.
Signed-off-by: Martin Storsjö <martin@martin.st>
This blocks disallowed extensions from probing
It also requires all available segments to have matching extensions to the format
mpegts is treated independent of the extension
It is recommended to set the whitelists correctly
instead of depending on extensions, but this should help a bit,
and this is easier to backport
Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
The other parts of CVE-2023-6602 have been fixed by prior commits
Found-by: Harvey Phillips of Amazon Element55 (element55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
ff_parse_mpeg2_descriptor() reads over what is initialized
Fixes: use of uninitialized memory
Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
packet_buffer is used in mux.c, and if a muxing process fails at a point where
packets remained in said queue, they will leak.
Fixes ticket #11419
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: undefined NULL pointer use
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
This performs equivalent sanity checks as are done in mov_read_trak()
before mov_build_index()
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
if sc->tts_count is 0, this condition will wrap around to UINT_MAX and the
code will try to dereference a NULL pointer.
Fixes ticket #11417
Signed-off-by: James Almer <jamrial@gmail.com>
