[FFmpeg-trac] #8931(undetermined:new): Some potential Null pointer dereference bugs.

FFmpeg trac at avcodec.org
Mon Oct 12 07:32:52 EEST 2020


#8931: Some potential Null pointer dereference bugs.
-------------------------------------+-------------------------------------
             Reporter:  yunlongs     |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 I have found some potential null pointer dereference bugs,which due to
 lack necessary checks after some memory alloc function.

 These can cause segmentation fault with no error massages.

 Bug 1: libavfilter/af_mcompand.c
 {{{
  388:       s->bands[i].attack_rate = av_calloc(outlink->channels,
 sizeof(double));
  389:       s->bands[i].decay_rate = av_calloc(outlink->channels,
 sizeof(double));
  390:       s->bands[i].volume = av_calloc(outlink->channels,
 sizeof(double));
         for (k = 0; k < FFMIN(nb_attacks / 2, outlink->channels); k++)
 {...}
 }}}
 I have read the definition of av_calloc carefully and found it can have
 some ways to return NULL.But we have not check the returned pointer after
 line 388,389,390 and directly use them in the for loop.

 Bug 2:dnn_backend_native.c
 {{{
 82:    AVFrame *in_frame = av_frame_alloc();
 83:    AVFrame *out_frame = av_frame_alloc();
     in_frame->width = input_width;
     in_frame->height = input_height;
 }}}
 Same to Bug1 ,forget to check ther return value of av_frame_alloc() and
 directly use them.

 Bug 3:libavfilter/dnn/dnn_backend_native_layer_conv2d.c
 {{{
 227:        thread_param[i] = av_malloc(sizeof(**thread_param));
 228:        thread_param[i]->thread_common_param = &thread_common_param;
             ...
 246:        thread_param[0] = av_malloc(sizeof(**thread_param));
 247:        thread_param[0]->thread_common_param = &thread_common_param;
 }}}
 Forget to check the retrun value of av_malloc and directly use them.

 Bug 4:libavformat/avidec.c
 {{{
 1075:        AVIOContext *pb = avio_alloc_context(pkt->data + 7,
                                              pkt->size - 7,
                                              0, NULL, NULL, NULL, NULL);
 1081:        if (desc_len > pb->buf_end - pb->buf_ptr)
 }}}
 Forget to check the retrun value of avio_alloc_context and directly use
 them.

 Bug 5:libavformat/hls.c
 {{{
 830:            cur_init_section = new_init_section(pls, &info, url);
 831:            cur_init_section->key_type = key_type;
 }}}
 Forget to check the retrun value of new_init_sectionand directly use them.

 '''Fix them can make your project more robust, please consider
 them,thanks.'''

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8931>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list