[FFmpeg-trac] #8044(ffmpeg:new): A potential NPD bug in the source file zmqsend.c
FFmpeg
trac at avcodec.org
Sun Jul 28 15:47:52 EEST 2019
#8044: A potential NPD bug in the source file zmqsend.c
-----------------------------------+--------------------------------------
Reporter: wurongxin | Type: defect
Status: new | Priority: normal
Component: ffmpeg | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+--------------------------------------
Summary of the bug:
How to reproduce:
{{{
% ffmpeg -i input ... output
ffmpeg version
built on ...
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
In the source file zmqsend.c, at Line 126, the invocation to the function
"av_bprint_finalize" will make src_buf as null pointer. This will lead to
a NPD at Line 128, with the function call to strlen(src_buf).
126. av_bprint_finalize(&src, &src_buf);
127.
128. if (zmq_send(socket, src_buf, strlen(src_buf), 0) == -1) {
129. av_log(NULL, AV_LOG_ERROR, "Could not send message: %s\n",
zmq_strerror(errno));
130. ret = 1;
131. goto end;
132. }
In the source file bprint.c, at Line 248, the variable str will receive
the return value from the function av_malloc. In some case, this function
can return null pointer. I think, the developer has noticed such case.
That is why the developer will assign the variable ret as an error code.
However, the null pointer will be assigned to *ret_str at Line 254.
235. int av_bprint_finalize(AVBPrint *buf, char **ret_str)
236. {
237. unsigned real_size = FFMIN(buf->len + 1, buf->size);
238. char *str;
239. int ret = 0;
240.
241. if (ret_str) {
242. if (av_bprint_is_allocated(buf)) {
243. str = av_realloc(buf->str, real_size);
244. if (!str)
245. str = buf->str;
246. buf->str = NULL;
247. } else {
248. str = av_malloc(real_size);
249. if (str)
250. memcpy(str, buf->str, real_size);
251. else
252. ret = AVERROR(ENOMEM);
253. }
254. *ret_str = str;
255. } else {
256. if (av_bprint_is_allocated(buf))
257. av_freep(&buf->str);
258. }
259. buf->size = real_size;
260. return ret;
261. }
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8044>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list