From 555f332e7adbd492ca74fa7329c492819b52e2ed Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Wed, 19 Dec 2018 16:00:22 -0800 Subject: libavformat/mov: Fix NULL-dereference read for some encrypted content. When reading frames, we need to use the fragment for the correct stream. Sometimes the "current" fragment is not the same as the one the frame is for. Found by Chromium's ClusterFuzz: https://crbug.com/906392 and https://crbug.com/915524 Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ec839ed5e3..825738127b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6557,14 +6557,14 @@ static int cenc_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryptionInfo *s return 0; } -static int cenc_filter(MOVContext *mov, MOVStreamContext *sc, AVPacket *pkt, int current_index) +static int cenc_filter(MOVContext *mov, AVStream* st, MOVStreamContext *sc, AVPacket *pkt, int current_index) { MOVFragmentStreamInfo *frag_stream_info; MOVEncryptionIndex *encryption_index; AVEncryptionInfo *encrypted_sample; int encrypted_index, ret; - frag_stream_info = get_current_frag_stream_info(&mov->frag_index); + frag_stream_info = get_frag_stream_info(&mov->frag_index, mov->frag_index.current, st->id); encrypted_index = current_index; encryption_index = NULL; if (frag_stream_info) { @@ -7794,7 +7794,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) if (mov->aax_mode) aax_filter(pkt->data, pkt->size, mov); - ret = cenc_filter(mov, sc, pkt, current_index); + ret = cenc_filter(mov, st, sc, pkt, current_index); if (ret < 0) return ret; -- cgit v1.2.3