Opened 3 years ago
Closed 10 months ago
#9364 closed defect (fixed)
uninitialized value use
Reported by: | Andrew Bao | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | avdevice |
Version: | git-master | Keywords: | opengl |
Cc: | Andrew Bao | Blocked By: | |
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Found by Andrew Bao with his usage-of-uninitialized value tool
This bug is in the file libavdevice/opengl_enc.c and function opengl_read_limits():
586 int i, major, minor; 587 const char *extensions, *version; 588 589 version = glGetString(GL_VERSION); 590 extensions = glGetString(GL_EXTENSIONS); 591 if (!version || !extensions) { 592 av_log(h, AV_LOG_ERROR, "No OpenGL context initialized for the current thread\n"); 593 return AVERROR(ENOSYS); 594 } 595 596 av_log(h, AV_LOG_DEBUG, "OpenGL version: %s\n", version); 597 sscanf(version, "%d.%d", &major, &minor); 598 599 for (i = 0; required_extensions[i].extension; i++) { 600 if (major < required_extensions[i].major && 601 (major == required_extensions[i].major && minor < required_extensions[i].minor) && 602 !strstr(extensions, required_extensions[i].extension)) { 603 av_log(h, AV_LOG_ERROR, "Required extension %s is not supported.\n", 604 required_extensions[i].extension); 605 av_log(h, AV_LOG_DEBUG, "Supported extensions are: %s\n", extensions); 606 return AVERROR(ENOSYS); 607 } 608 }
in line 597, the code does not check sscanf failure. It is possible that variable major and minor are in uninitialized state.
Then these two variables are use in line 600 in a if condition, resulting in a uninitialized value use vulnerability.
Suggested fix:
Initialized value major and minor when they are allocated.
int major = 0; int minor = 0;
At the same time, check the failure of sscanf:
if(sscanf(version, "%d.%d", &major, &minor)!=2) return ERROR;
Change History (2)
comment:1 by , 17 months ago
Component: | undetermined → avdevice |
---|---|
Keywords: | opengl added |
Version: | unspecified → git-master |
comment:2 by , 10 months ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Fixed in 557686ac6312ba59cc09fa023cf0f7a9f2c15a3f