Opened 9 days ago

#7484 new defect

av_packet_ref(): Allocates array on zero src size

Reported by: zerodefect Owned by:
Priority: normal Component: avcodec
Version: Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Discovered a bug on a corner-case when exercising some unit tests I had written. The code involved pertains to function:

int av_packet_ref(AVPacket *dst, const AVPacket *src).

I'll jump right into the code example:

Code highlighting:

#include <cassert>

extern "C"
{
#include <libavcodec/avcodec.h>
}

int main(int argc, char *argv[])
{
        AVPacket pkt{};
        av_init_packet(&pkt);
        assert(pkt.size == 0); // OK;
        assert(pkt.data == nullptr); // OK
        
        AVPacket pkt2{};
        av_init_packet(&pkt2);
        assert(pkt2.size == 0); // OK;
        assert(pkt2.data == nullptr); // OK
        
        assert(0 == av_packet_ref(&pkt2, &pkt)); // OK? Discuss.
        
        assert(pkt.size == 0); // OK;
        assert(pkt.data == nullptr); // OK
        
        assert(pkt2.size == 0); // OK;
        assert(pkt2.data == nullptr); // ASSERTS: Woah! Not good! 

        return 0;
}

So av_packet_ref(...) func is called with a Src and Dst pkt whose size is both 0 and data is both NULL, yet after the function is called the data on the dst is non-NULL.

Code sample built using the following command:
g++ main.cpp -lavcodec -o test

Ubuntu 18.04
GCC 8.2
FFmpeg v4.0.2

Change History (0)

Note: See TracTickets for help on using tickets.