Opened 3 years ago
Closed 3 years ago
#9365 closed defect (duplicate)
uninitialized value use
| Reported by: | Andrew Bao | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | unspecified | Keywords: | |
| Cc: | Andrew Bao | Blocked By: | |
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Found by Andrew Bao with his usage-of-uninitialized value tool
This bug is in the file libavdevice/opengl_enc.c and function opengl_read_limits():
586 int i, major, minor;
587 const char *extensions, *version;
588
589 version = glGetString(GL_VERSION);
590 extensions = glGetString(GL_EXTENSIONS);
591 if (!version || !extensions) {
592 av_log(h, AV_LOG_ERROR, "No OpenGL context initialized for the current thread\n");
593 return AVERROR(ENOSYS);
594 }
595
596 av_log(h, AV_LOG_DEBUG, "OpenGL version: %s\n", version);
597 sscanf(version, "%d.%d", &major, &minor);
598
599 for (i = 0; required_extensions[i].extension; i++) {
600 if (major < required_extensions[i].major &&
601 (major == required_extensions[i].major && minor < required_extensions[i].minor) &&
602 !strstr(extensions, required_extensions[i].extension)) {
603 av_log(h, AV_LOG_ERROR, "Required extension %s is not supported.\n",
604 required_extensions[i].extension);
605 av_log(h, AV_LOG_DEBUG, "Supported extensions are: %s\n", extensions);
606 return AVERROR(ENOSYS);
607 }
608 }
in line 597, the code does not check sscanf failure. It is possible that variable major and minor are in uninitialized state.
Then these two variables are use in line 600 in a if condition, resulting in a uninitialized value use vulnerability.
Suggested fix:
Initialized value major and minor when they are allocated.
int major = 0; int minor = 0;
At the same time, check the failure of sscanf:
if(sscanf(version, "%d.%d", &major, &minor)!=2)
return ERROR;
Note:
See TracTickets
for help on using tickets.
Duplicate of #9364.