[FFmpeg-devel] [Patch] fix ffprobe crash #3603

Anshul anshul.ffmpeg at gmail.com
Wed May 14 19:02:25 CEST 2014


On May 14, 2014 8:38:40 PM IST, Stefano Sabatini <stefasab at gmail.com> wrote:
>On date Tuesday 2014-05-13 09:55:45 +0530, Anshul encoded:
>[...]
>> From 53a415cec2b682a060ba1de154796dd32c0c81c9 Mon Sep 17 00:00:00
>2001
>> From: Anshul <er.anshul.maheshwari at gmail.com>
>> Date: Mon, 12 May 2014 23:15:20 +0530
>> Subject: [PATCH] ffprobe: fix crash because of new streams occuring
>> 
>> Fix ticket #3603
>> ---
>>  ffprobe.c | 23 ++++++++++++++++++-----
>>  1 file changed, 18 insertions(+), 5 deletions(-)
>> 
>> diff --git a/ffprobe.c b/ffprobe.c
>> index c6e0469..0090783 100644
>> --- a/ffprobe.c
>> +++ b/ffprobe.c
>> @@ -191,6 +191,7 @@ static const char unit_hertz_str[]          =
>"Hz"   ;
>>  static const char unit_byte_str[]           = "byte" ;
>>  static const char unit_bit_per_second_str[] = "bit/s";
>>  
>> +static int nb_streams;
>>  static uint64_t *nb_streams_packets;
>>  static uint64_t *nb_streams_frames;
>>  static int *selected_streams;
>> @@ -1632,6 +1633,13 @@ static void writer_register_all(void)
>>  #define print_section_header(s) writer_print_section_header(w, s)
>>  #define print_section_footer(s) writer_print_section_footer(w, s)
>>  
>> +#define CHECK_END if (ret < 0) goto end
>> +#define REALLOCZ_ARRAY_STREAM (ptr, cur_n, new_n)                   
>  \
>> +{                                                                   
>  \
>> +    ret = av_reallocp_array(&(ptr), (new_n), sizeof(*(ptr)));       
>  \
>> +    CHECK_END;                                                      
>  \
>
>> +    memset( (ptr) + (cur_n), 0, (new_n) - (cur_n) * sizeof(*(ptr))
>);  \
>
>Ehm, this should be ((new_n) - (cur_n)) * sizeof(*(ptr))
>
Done.
>> +}
>>  static inline int show_tags(WriterContext *w, AVDictionary *tags,
>int section_id)
>>  {
>>      AVDictionaryEntry *tag = NULL;
>> @@ -1893,6 +1901,12 @@ static int read_interval_packets(WriterContext
>*w, AVFormatContext *fmt_ctx,
>>          goto end;
>>      }
>>      while (!av_read_frame(fmt_ctx, &pkt)) {
>> +        if (fmt_ctx->nb_streams > nb_streams) {
>> +            REALLOCZ_ARRAY_STREAM(nb_streams_frames, nb_streams,
>fmt_ctx->nb_streams);
>> +           
>REALLOCZ_ARRAY_STREAM(nb_streams_packets,nb_streams,fmt_ctx->nb_streams);
>> +           
>REALLOCZ_ARRAY_STREAM(selected_streams,nb_streams,fmt_ctx->nb_streams);
>> +            nb_streams = fmt_ctx->nb_streams;
>> +        }
>>          if (selected_streams[pkt.stream_index]) {
>>              AVRational tb =
>fmt_ctx->streams[pkt.stream_index]->time_base;
>>  
>> @@ -2372,11 +2386,10 @@ static int probe_file(WriterContext *wctx,
>const char *filename)
>>      if (ret < 0)
>>          return ret;
>
>>  
>> -#define CHECK_END if (ret < 0) goto end
>> -
>> -    nb_streams_frames  = av_calloc(fmt_ctx->nb_streams,
>sizeof(*nb_streams_frames));
>> -    nb_streams_packets = av_calloc(fmt_ctx->nb_streams,
>sizeof(*nb_streams_packets));
>> -    selected_streams   = av_calloc(fmt_ctx->nb_streams,
>sizeof(*selected_streams));
>> +    nb_streams = fmt_ctx->nb_streams;
>> +    REALLOCZ_ARRAY_STREAM(nb_streams_frames,0,fmt_ctx->nb_streams);
>> +    REALLOCZ_ARRAY_STREAM(nb_streams_packets,0,fmt_ctx->nb_streams);
>> +    REALLOCZ_ARRAY_STREAM(selected_streams,0,fmt_ctx->nb_streams);
>
>What's the point of this hunk?
realloc is only safe if memory allocated by malloc, calloc or realloc. In ffmpeg av_calloc and av_malloc use mmap to allocate memory, so av_realloc is safe only if memory is allocated using av_realloc. It was disscussed with ubitux in start of this patch thread.

-Anshul



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ffprobe-fix-crash-because-of-new-streams-occuring.patch
Type: application/octet-stream
Size: 2929 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140514/b32085b9/attachment.obj>


More information about the ffmpeg-devel mailing list