Opened 5 years ago
Closed 5 years ago
#8095 closed defect (fixed)
do not munmap NULL pointers
| Reported by: | wurongxin | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avutil |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
How to reproduce:
% ffmpeg -i input ... output ffmpeg version built on ...
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
In the source file doc/examples/avio_reading.c, the variable buffer is initialized as null pointer. After invoking av_file_map at Line 78, buffer can still be null pointer and the variable ret will be an error code. Then, it will jump to the label end. At Line 126, it will invoke the function av_file_unmap which eventually invoke munmap with the null pointer. This will cause some runtime errors. Similar bug can be found in other open source project: https://bugs.freedesktop.org/show_bug.cgi?id=107098. The following shows the relevant code snippet.
doc/examples/avio_reading.c:
- uint8_t *buffer = NULL, *avio_ctx_buffer = NULL;
- size_t buffer_size, avio_ctx_buffer_size = 4096;
…
- ret = av_file_map(input_filename, &buffer, &buffer_size, 0, NULL);
- if (ret < 0)
- goto end;
…
- end:
- avformat_close_input(&fmt_ctx);
120.
- /* note: the internal buffer could have changed, and be != avio_ctx_buffer */
- if (avio_ctx)
- av_freep(&avio_ctx->buffer);
- avio_context_free(&avio_ctx);
125.
- av_file_unmap(buffer, buffer_size);
…
libavutil/file.c:
void av_file_unmap(uint8_t *bufptr, size_t size)
{
#if HAVE_MMAP
munmap(bufptr, size);
#elif HAVE_MAPVIEWOFFILE
UnmapViewOfFile(bufptr);
#else
av_free(bufptr);
#endif
}
int av_file_map(const char *filename, uint8_t bufptr, size_t *size,
int log_offset, void *log_ctx)
{
FileLogContext file_log_ctx = { &file_log_ctx_class, log_offset, log_ctx };
int err, fd = avpriv_open(filename, O_RDONLY);
struct stat st;
av_unused void *ptr;
off_t off_size;
char errbuf[128];
*bufptr = NULL;
if (fd < 0) {
err = AVERROR(errno);
av_strerror(err, errbuf, sizeof(errbuf));
av_log(&file_log_ctx, AV_LOG_ERROR, "Cannot read file '%s': %s\n", filename, errbuf);
return err;
}
if (fstat(fd, &st) < 0) {
err = AVERROR(errno);
av_strerror(err, errbuf, sizeof(errbuf));
av_log(&file_log_ctx, AV_LOG_ERROR, "Error occurred in fstat(): %s\n", errbuf);
close(fd);
return err;
}
off_size = st.st_size;
if (off_size > SIZE_MAX) {
av_log(&file_log_ctx, AV_LOG_ERROR,
"File size for file '%s' is too big\n", filename);
close(fd);
return AVERROR(EINVAL);
}
…
Change History (3)
follow-up: 2 comment:1 by , 5 years ago
comment:2 by , 5 years ago
Replying to mypopy:
pls try this patch: https://patchwork.ffmpeg.org/patch/14761/, Tks
Yes. Thanks for your confirmation and fix. It indeed fixes the bug.
comment:3 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
pls try this patch: https://patchwork.ffmpeg.org/patch/14761/, Tks