Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#235 closed defect (fixed)

possible SIGSEGV in sws_getColorspaceDetails

Reported by: jtlebi Owned by: michael
Priority: normal Component: swscale
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

I experienced a SIGSEGV in the MLT library happending in the function sws_getColorspaceDetails in libwscale/utils.c:718. While i know the actual source of the bug is not in ffmpeg's sources, it is possible to have the first parameter (SwsContext? *c) set to NULL wich causes the crash.

changing line 720 from

if (isYUV(c->dstFormat) || isGray(c->dstFormat)) return -1;

to

if (c==NULL || isYUV(c->dstFormat) || isGray(c->dstFormat)) return -1;

allows playback to continue.

PS: i'm working with the latest ffmpeg sources from git in an (almost) clean environnment

Attachments (1)

fix.diff (618 bytes) - added by jtlebi 5 years ago.
suggested bug fix

Download all attachments as: .zip

Change History (7)

comment:1 Changed 5 years ago by cehoyos

  • Status changed from new to open

Consider sending or attaching a patch made with git diff libswscale/utils.c

Changed 5 years ago by jtlebi

suggested bug fix

comment:2 Changed 5 years ago by jtlebi

here is the requested diff.

comment:3 Changed 5 years ago by saste

I'm not sure this is the right fix. Indeed the function is not supposed to be called on a NULL context, a check in the calling code should be done instead.

comment:4 Changed 5 years ago by michael

Can we see the code that calls this with NULL ?
Anyway the patch does no harm so IMHO it should be applied if it helps someone

comment:5 Changed 5 years ago by cehoyos

  • Resolution set to fixed
  • Status changed from open to closed

Patch applied, please post (or point to) the MLT code calling sws_getColorspaceDetails().

comment:6 Changed 5 years ago by jtlebi

I am currently doing ton's of tests to locate the error source. Since MLT is fully mutithreaded, this is quite tricky :-(

From one of my first tests, i remember that this function was called from the same C file but i was not able to reproduce the backtrace. I did quite a lot of recompilations...

I have still not found out the exact bug location in the MLT code. I am now sure it appears in the kdenlive wrapper of the "qimage" producer, somewhere in the file "mlt-0.7.2/src/modules/qimage/qimage_wrapper.cpp"

still investigating...

Note: See TracTickets for help on using tickets.