[FFmpeg-trac] #8931(undetermined:new): Some potential Null pointer dereference bugs.
FFmpeg
trac at avcodec.org
Mon Oct 12 07:32:52 EEST 2020
#8931: Some potential Null pointer dereference bugs.
-------------------------------------+-------------------------------------
Reporter: yunlongs | Type: defect
Status: new | Priority: normal
Component: | Version: git-
undetermined | master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
I have found some potential null pointer dereference bugs,which due to
lack necessary checks after some memory alloc function.
These can cause segmentation fault with no error massages.
Bug 1: libavfilter/af_mcompand.c
{{{
388: s->bands[i].attack_rate = av_calloc(outlink->channels,
sizeof(double));
389: s->bands[i].decay_rate = av_calloc(outlink->channels,
sizeof(double));
390: s->bands[i].volume = av_calloc(outlink->channels,
sizeof(double));
for (k = 0; k < FFMIN(nb_attacks / 2, outlink->channels); k++)
{...}
}}}
I have read the definition of av_calloc carefully and found it can have
some ways to return NULL.But we have not check the returned pointer after
line 388,389,390 and directly use them in the for loop.
Bug 2:dnn_backend_native.c
{{{
82: AVFrame *in_frame = av_frame_alloc();
83: AVFrame *out_frame = av_frame_alloc();
in_frame->width = input_width;
in_frame->height = input_height;
}}}
Same to Bug1 ,forget to check ther return value of av_frame_alloc() and
directly use them.
Bug 3:libavfilter/dnn/dnn_backend_native_layer_conv2d.c
{{{
227: thread_param[i] = av_malloc(sizeof(**thread_param));
228: thread_param[i]->thread_common_param = &thread_common_param;
...
246: thread_param[0] = av_malloc(sizeof(**thread_param));
247: thread_param[0]->thread_common_param = &thread_common_param;
}}}
Forget to check the retrun value of av_malloc and directly use them.
Bug 4:libavformat/avidec.c
{{{
1075: AVIOContext *pb = avio_alloc_context(pkt->data + 7,
pkt->size - 7,
0, NULL, NULL, NULL, NULL);
1081: if (desc_len > pb->buf_end - pb->buf_ptr)
}}}
Forget to check the retrun value of avio_alloc_context and directly use
them.
Bug 5:libavformat/hls.c
{{{
830: cur_init_section = new_init_section(pls, &info, url);
831: cur_init_section->key_type = key_type;
}}}
Forget to check the retrun value of new_init_sectionand directly use them.
'''Fix them can make your project more robust, please consider
them,thanks.'''
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8931>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list