Opened 5 years ago

Last modified 5 years ago

#8044 new defect

A potential NPD bug in the source file zmqsend.c

Reported by: wurongxin Owned by:
Priority: minor Component: tools
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
How to reproduce:

% ffmpeg -i input ... output
ffmpeg version
built on ...

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

In the source file zmqsend.c, at Line 126, the invocation to the function "av_bprint_finalize" will make src_buf as null pointer. This will lead to a NPD at Line 128, with the function call to strlen(src_buf).

  1. av_bprint_finalize(&src, &src_buf);

127.

  1. if (zmq_send(socket, src_buf, strlen(src_buf), 0) == -1) {
  2. av_log(NULL, AV_LOG_ERROR, "Could not send message: %s\n", zmq_strerror(errno));
  3. ret = 1;
  4. goto end;
  5. }

In the source file bprint.c, at Line 248, the variable str will receive the return value from the function av_malloc. In some case, this function can return null pointer. I think, the developer has noticed such case. That is why the developer will assign the variable ret as an error code. However, the null pointer will be assigned to *ret_str at Line 254.

  1. int av_bprint_finalize(AVBPrint *buf, char ret_str)
  2. {
  3. unsigned real_size = FFMIN(buf->len + 1, buf->size);
  4. char *str;
  5. int ret = 0;
  7. if (ret_str) {
  8. if (av_bprint_is_allocated(buf)) {
  9. str = av_realloc(buf->str, real_size);
  10. if (!str)
  11. str = buf->str;
  12. buf->str = NULL;
  13. } else {
  14. str = av_malloc(real_size);
  15. if (str)
  16. memcpy(str, buf->str, real_size);
  17. else
  18. ret = AVERROR(ENOMEM);
  19. }
  20. *ret_str = str;
  21. } else {
  22. if (av_bprint_is_allocated(buf))
  23. av_freep(&buf->str);
  24. }
  25. buf->size = real_size;
  26. return ret;
  27. }

Attachments (2)

Screenshot 2019-07-28 at 8.52.52 PM.png (202.1 KB ) - added by wurongxin 5 years ago.
Screenshot 2019-07-28 at 8.53.41 PM.png (54.2 KB ) - added by wurongxin 5 years ago.

Download all attachments as: .zip

Change History (7)

by wurongxin, 5 years ago

Attachment: Screenshot 2019-07-28 at 8.52.52 PM.png added

by wurongxin, 5 years ago

Attachment: Screenshot 2019-07-28 at 8.53.41 PM.png added

comment:1 by wurongxin, 5 years ago

Priority: normalcritical

comment:2 by Carl Eugen Hoyos, 5 years ago

Component: ffmpegavutil
Priority: criticalnormal

comment:3 by Carl Eugen Hoyos, 5 years ago

Please explain how the issue can be reproduced, this includes the command line you tested together with the complete, uncut console output.

in reply to:  3 comment:4 by wurongxin, 5 years ago

Replying to cehoyos:

Please explain how the issue can be reproduced, this includes the command line you tested together with the complete, uncut console output.

This bug is detected by a static analysis tool that is developed by ourselves. Could you help to confirm the understanding of the code logic is correct?

comment:5 by Carl Eugen Hoyos, 5 years ago

Component: avutiltools
Priority: normalminor
Note: See TracTickets for help on using tickets.