Re: [FFmpeg-devel] [PATCH] avformat/utils: fix undefined behaviour

Sun, 14 Feb 2021 13:36:59 -0800 

James Almer:
> On 2/14/2021 6:23 PM, Andreas Rheinhardt wrote:
>> James Almer:
>>> On 2/14/2021 6:09 PM, Paul B Mahol wrote:
>>>> Fixes following report:
>>>> libavformat/utils.c:1429:14: runtime error: applying zero offset to
>>>> null pointer
>>>
>>> How is data NULL here? That's the input packet's data pointer, and this
>>> loop is accessed only if size is > 0. data == NULL and size != 0 doesn't
>>> sound valid. Or am i missing something?
>>
>> Flushing.
> 
> A flush packet with data == NULL and size != 0? ff_read_packet(), called
> before the flush attempt, initializes the packet to defaults. So if it
> returns < 1, shouldn't the packet remain clean?

A flush packet with data == NULL and size == 0. And the parser of course
returns 0 in this case, which leads to NULL + 0, which is UB.

> 
>>
>>>
>>> Try compiling with assert level set to 1, see if you get an assertion
>>> failure on avpacket helpers.
>>>
>>>> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
>>>> libavformat/utils.c:1429:14
>>>>
>>>> Signed-off-by: Paul B Mahol <one...@gmail.com>
>>>> ---
>>>>    libavformat/utils.c | 6 ++++--
>>>>    1 file changed, 4 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/libavformat/utils.c b/libavformat/utils.c
>>>> index 3e955b85bc..e4f100fda2 100644
>>>> --- a/libavformat/utils.c
>>>> +++ b/libavformat/utils.c
>>>> @@ -1426,8 +1426,10 @@ static int parse_packet(AVFormatContext *s,
>>>> AVPacket *pkt,
>>>>            pkt->pts = pkt->dts = AV_NOPTS_VALUE;
>>>>            pkt->pos = -1;
>>>>            /* increment read pointer */
>>>> -        data += len;
>>>> -        size -= len;
>>>> +        if (len > 0) {
>>>> +            data += len;
>>>> +            size -= len;
>>>> +        }
>>>>              got_output = !!out_pkt.size;
>>>>   
>>>
>>> _______________________________________________
>>> ffmpeg-devel mailing list
>>> ffmpeg-devel@ffmpeg.org
>>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>>
>>> To unsubscribe, visit link above, or email
>>> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
>>
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to