[FFmpeg-trac] #8044(ffmpeg:new): A potential NPD bug in the source file zmqsend.c

FFmpeg trac at avcodec.org
Sun Jul 28 15:47:52 EEST 2019 

#8044: A potential NPD bug in the source file zmqsend.c
-----------------------------------+--------------------------------------
             Reporter:  wurongxin  |                     Type:  defect
               Status:  new        |                 Priority:  normal
            Component:  ffmpeg     |                  Version:  git-master
             Keywords:             |               Blocked By:
             Blocking:             |  Reproduced by developer:  0
Analyzed by developer:  0          |
-----------------------------------+--------------------------------------
 Summary of the bug:
 How to reproduce:
 {{{
 % ffmpeg -i input ... output
 ffmpeg version
 built on ...
 }}}
 Patches should be submitted to the ffmpeg-devel mailing list and not this
 bug tracker.



 In the source file zmqsend.c, at Line 126, the invocation to the function
 "av_bprint_finalize" will make src_buf as null pointer. This will lead to
 a NPD at Line 128, with the function call to strlen(src_buf).

 126.     av_bprint_finalize(&src, &src_buf);
 127.
 128.     if (zmq_send(socket, src_buf, strlen(src_buf), 0) == -1) {
 129.        av_log(NULL, AV_LOG_ERROR, "Could not send message: %s\n",
 zmq_strerror(errno));
 130.        ret = 1;
 131.        goto end;
 132.    }


 In the source file bprint.c, at Line 248, the variable str will receive
 the return value from the function av_malloc. In some case, this function
 can return null pointer. I think, the developer has noticed such case.
 That is why the developer will assign the variable ret as an error code.
 However, the null pointer will be assigned to *ret_str at Line 254.



 235. int av_bprint_finalize(AVBPrint *buf, char **ret_str)
 236. {
 237.     unsigned real_size = FFMIN(buf->len + 1, buf->size);
 238.     char *str;
 239.     int ret = 0;
 240.
 241.     if (ret_str) {
 242.         if (av_bprint_is_allocated(buf)) {
 243.             str = av_realloc(buf->str, real_size);
 244.             if (!str)
 245.                 str = buf->str;
 246.             buf->str = NULL;
 247.         } else {
 248.             str = av_malloc(real_size);
 249.             if (str)
 250.                 memcpy(str, buf->str, real_size);
 251.             else
 252.                 ret = AVERROR(ENOMEM);
 253.         }
 254.         *ret_str = str;
 255.     } else {
 256.         if (av_bprint_is_allocated(buf))
 257.             av_freep(&buf->str);
 258.     }
 259.     buf->size = real_size;
 260.     return ret;
 261. }

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8044>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list