Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#235 closed defect (fixed)

possible SIGSEGV in sws_getColorspaceDetails

Reported by: jean-tiare LE BIGOT Owned by: Michael Niedermayer
Priority: normal Component: swscale
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

I experienced a SIGSEGV in the MLT library happending in the function sws_getColorspaceDetails in libwscale/utils.c:718. While i know the actual source of the bug is not in ffmpeg's sources, it is possible to have the first parameter (SwsContext *c) set to NULL wich causes the crash.

changing line 720 from

if (isYUV(c->dstFormat) || isGray(c->dstFormat)) return -1;

to

if (c==NULL || isYUV(c->dstFormat) || isGray(c->dstFormat)) return -1;

allows playback to continue.

PS: i'm working with the latest ffmpeg sources from git in an (almost) clean environnment

Attachments (1)

fix.diff (618 bytes ) - added by jean-tiare LE BIGOT 11 years ago.
suggested bug fix

Download all attachments as: .zip

Change History (7)

comment:1 by Carl Eugen Hoyos, 11 years ago

Status: newopen

Consider sending or attaching a patch made with git diff libswscale/utils.c

by jean-tiare LE BIGOT, 11 years ago

Attachment: fix.diff added

suggested bug fix

comment:2 by jean-tiare LE BIGOT, 11 years ago

here is the requested diff.

comment:3 by Stefano Sabatini, 11 years ago

I'm not sure this is the right fix. Indeed the function is not supposed to be called on a NULL context, a check in the calling code should be done instead.

comment:4 by Michael Niedermayer, 11 years ago

Can we see the code that calls this with NULL ?
Anyway the patch does no harm so IMHO it should be applied if it helps someone

comment:5 by Carl Eugen Hoyos, 11 years ago

Resolution: fixed
Status: openclosed

Patch applied, please post (or point to) the MLT code calling sws_getColorspaceDetails().

comment:6 by jean-tiare LE BIGOT, 11 years ago

I am currently doing ton's of tests to locate the error source. Since MLT is fully mutithreaded, this is quite tricky :-(

From one of my first tests, i remember that this function was called from the same C file but i was not able to reproduce the backtrace. I did quite a lot of recompilations...

I have still not found out the exact bug location in the MLT code. I am now sure it appears in the kdenlive wrapper of the "qimage" producer, somewhere in the file "mlt-0.7.2/src/modules/qimage/qimage_wrapper.cpp"

still investigating...

Note: See TracTickets for help on using tickets.