Opened 3 years ago

Closed 3 years ago

#8095 closed defect (fixed)

do not munmap NULL pointers

Reported by: wurongxin Owned by:
Priority: normal Component: avutil
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
How to reproduce:

% ffmpeg -i input ... output
ffmpeg version
built on ...

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

In the source file doc/examples/avio_reading.c, the variable buffer is initialized as null pointer. After invoking av_file_map at Line 78, buffer can still be null pointer and the variable ret will be an error code. Then, it will jump to the label end. At Line 126, it will invoke the function av_file_unmap which eventually invoke munmap with the null pointer. This will cause some runtime errors. Similar bug can be found in other open source project: https://bugs.freedesktop.org/show_bug.cgi?id=107098. The following shows the relevant code snippet.

doc/examples/avio_reading.c:

  1. uint8_t *buffer = NULL, *avio_ctx_buffer = NULL;
  2. size_t buffer_size, avio_ctx_buffer_size = 4096;


  1. ret = av_file_map(input_filename, &buffer, &buffer_size, 0, NULL);
  2. if (ret < 0)
  3. goto end;


  1. end:
  2. avformat_close_input(&fmt_ctx);

120.

  1. /* note: the internal buffer could have changed, and be != avio_ctx_buffer */
  2. if (avio_ctx)
  3. av_freep(&avio_ctx->buffer);
  4. avio_context_free(&avio_ctx);

125.

  1. av_file_unmap(buffer, buffer_size);


libavutil/file.c:
void av_file_unmap(uint8_t *bufptr, size_t size)
{
#if HAVE_MMAP

munmap(bufptr, size);

#elif HAVE_MAPVIEWOFFILE

UnmapViewOfFile(bufptr);

#else

av_free(bufptr);

#endif
}

int av_file_map(const char *filename, uint8_t bufptr, size_t *size,

int log_offset, void *log_ctx)

{

FileLogContext file_log_ctx = { &file_log_ctx_class, log_offset, log_ctx };
int err, fd = avpriv_open(filename, O_RDONLY);
struct stat st;
av_unused void *ptr;
off_t off_size;
char errbuf[128];
*bufptr = NULL;

if (fd < 0) {

err = AVERROR(errno);
av_strerror(err, errbuf, sizeof(errbuf));
av_log(&file_log_ctx, AV_LOG_ERROR, "Cannot read file '%s': %s\n", filename, errbuf);
return err;

}

if (fstat(fd, &st) < 0) {

err = AVERROR(errno);
av_strerror(err, errbuf, sizeof(errbuf));
av_log(&file_log_ctx, AV_LOG_ERROR, "Error occurred in fstat(): %s\n", errbuf);
close(fd);
return err;

}

off_size = st.st_size;
if (off_size > SIZE_MAX) {

av_log(&file_log_ctx, AV_LOG_ERROR,

"File size for file '%s' is too big\n", filename);

close(fd);
return AVERROR(EINVAL);

}


Change History (3)

comment:1 by Jun Zhao, 3 years ago

in reply to:  1 comment:2 by wurongxin, 3 years ago

Replying to mypopy:

pls try this patch: https://patchwork.ffmpeg.org/patch/14761/, Tks

Yes. Thanks for your confirmation and fix. It indeed fixes the bug.

comment:3 by Jun Zhao, 3 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.