Opened 3 years ago

Closed 10 months ago

#9364 closed defect (fixed)

uninitialized value use

Reported by: Andrew Bao Owned by:
Priority: normal Component: avdevice
Version: git-master Keywords: opengl
Cc: Andrew Bao Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Found by Andrew Bao with his usage-of-uninitialized value tool

This bug is in the file libavdevice/opengl_enc.c and function opengl_read_limits():


586     int i, major, minor;
 587     const char *extensions, *version;
 588 
 589     version = glGetString(GL_VERSION);
 590     extensions = glGetString(GL_EXTENSIONS);
 591     if (!version || !extensions) {
 592         av_log(h, AV_LOG_ERROR, "No OpenGL context initialized for the current thread\n");
 593         return AVERROR(ENOSYS);
 594     }
 595 
 596     av_log(h, AV_LOG_DEBUG, "OpenGL version: %s\n", version);
 597     sscanf(version, "%d.%d", &major, &minor);
 598 
 599     for (i = 0; required_extensions[i].extension; i++) {
 600         if (major < required_extensions[i].major &&
 601             (major == required_extensions[i].major && minor < required_extensions[i].minor) &&
 602             !strstr(extensions, required_extensions[i].extension)) {
 603             av_log(h, AV_LOG_ERROR, "Required extension %s is not supported.\n",
 604                    required_extensions[i].extension);
 605             av_log(h, AV_LOG_DEBUG, "Supported extensions are: %s\n", extensions);
 606             return AVERROR(ENOSYS);
 607         }
 608     }

in line 597, the code does not check sscanf failure. It is possible that variable major and minor are in uninitialized state.

Then these two variables are use in line 600 in a if condition, resulting in a uninitialized value use vulnerability.

Suggested fix:
Initialized value major and minor when they are allocated.

int major = 0;
int minor = 0;

At the same time, check the failure of sscanf:

  if(sscanf(version, "%d.%d", &major, &minor)!=2)
                  return ERROR;

Change History (2)

comment:1 by Carl Eugen Hoyos, 17 months ago

Component: undeterminedavdevice
Keywords: opengl added
Version: unspecifiedgit-master

comment:2 by Elon Musk, 10 months ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.