Opened 2 years ago

Last modified 2 years ago

#8044 new defect

A potential NPD bug in the source file zmqsend.c

Reported by: wurongxin Owned by:
Priority: minor Component: tools
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
How to reproduce:

% ffmpeg -i input ... output
ffmpeg version
built on ...

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

In the source file zmqsend.c, at Line 126, the invocation to the function "av_bprint_finalize" will make src_buf as null pointer. This will lead to a NPD at Line 128, with the function call to strlen(src_buf).

  1. av_bprint_finalize(&src, &src_buf);

127.

  1. if (zmq_send(socket, src_buf, strlen(src_buf), 0) == -1) {
  2. av_log(NULL, AV_LOG_ERROR, "Could not send message: %s\n", zmq_strerror(errno));
  3. ret = 1;
  4. goto end;
  5. }

In the source file bprint.c, at Line 248, the variable str will receive the return value from the function av_malloc. In some case, this function can return null pointer. I think, the developer has noticed such case. That is why the developer will assign the variable ret as an error code. However, the null pointer will be assigned to *ret_str at Line 254.

  1. int av_bprint_finalize(AVBPrint *buf, char ret_str)
  2. {
  3. unsigned real_size = FFMIN(buf->len + 1, buf->size);
  4. char *str;
  5. int ret = 0;
  6. if (ret_str) {
  7. if (av_bprint_is_allocated(buf)) {
  8. str = av_realloc(buf->str, real_size);
  9. if (!str)
  10. str = buf->str;
  11. buf->str = NULL;
  12. } else {
  13. str = av_malloc(real_size);
  14. if (str)
  15. memcpy(str, buf->str, real_size);
  16. else
  17. ret = AVERROR(ENOMEM);
  18. }
  19. *ret_str = str;
  20. } else {
  21. if (av_bprint_is_allocated(buf))
  22. av_freep(&buf->str);
  23. }
  24. buf->size = real_size;
  25. return ret;
  26. }

Attachments (2)

Screenshot 2019-07-28 at 8.52.52 PM.png (202.1 KB ) - added by wurongxin 2 years ago.
Screenshot 2019-07-28 at 8.53.41 PM.png (54.2 KB ) - added by wurongxin 2 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 by wurongxin, 2 years ago

Priority: normalcritical

comment:2 by Carl Eugen Hoyos, 2 years ago

Component: ffmpegavutil
Priority: criticalnormal

comment:3 by Carl Eugen Hoyos, 2 years ago

Please explain how the issue can be reproduced, this includes the command line you tested together with the complete, uncut console output.

in reply to:  3 comment:4 by wurongxin, 2 years ago

Replying to cehoyos:

Please explain how the issue can be reproduced, this includes the command line you tested together with the complete, uncut console output.

This bug is detected by a static analysis tool that is developed by ourselves. Could you help to confirm the understanding of the code logic is correct?

comment:5 by Carl Eugen Hoyos, 2 years ago

Component: avutiltools
Priority: normalminor
Note: See TracTickets for help on using tickets.