Opened 5 years ago
Last modified 5 years ago
#8044 new defect
A potential NPD bug in the source file zmqsend.c
Reported by: | wurongxin | Owned by: | |
---|---|---|---|
Priority: | minor | Component: | tools |
Version: | git-master | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
How to reproduce:
% ffmpeg -i input ... output ffmpeg version built on ...
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
In the source file zmqsend.c, at Line 126, the invocation to the function "av_bprint_finalize" will make src_buf as null pointer. This will lead to a NPD at Line 128, with the function call to strlen(src_buf).
- av_bprint_finalize(&src, &src_buf);
127.
- if (zmq_send(socket, src_buf, strlen(src_buf), 0) == -1) {
- av_log(NULL, AV_LOG_ERROR, "Could not send message: %s\n", zmq_strerror(errno));
- ret = 1;
- goto end;
- }
In the source file bprint.c, at Line 248, the variable str will receive the return value from the function av_malloc. In some case, this function can return null pointer. I think, the developer has noticed such case. That is why the developer will assign the variable ret as an error code. However, the null pointer will be assigned to *ret_str at Line 254.
- int av_bprint_finalize(AVBPrint *buf, char ret_str)
- {
- unsigned real_size = FFMIN(buf->len + 1, buf->size);
- char *str;
- int ret = 0;
- if (ret_str) {
- if (av_bprint_is_allocated(buf)) {
- str = av_realloc(buf->str, real_size);
- if (!str)
- str = buf->str;
- buf->str = NULL;
- } else {
- str = av_malloc(real_size);
- if (str)
- memcpy(str, buf->str, real_size);
- else
- ret = AVERROR(ENOMEM);
- }
- *ret_str = str;
- } else {
- if (av_bprint_is_allocated(buf))
- av_freep(&buf->str);
- }
- buf->size = real_size;
- return ret;
- }
Attachments (2)
Change History (7)
by , 5 years ago
Attachment: | Screenshot 2019-07-28 at 8.52.52 PM.png added |
---|
by , 5 years ago
Attachment: | Screenshot 2019-07-28 at 8.53.41 PM.png added |
---|
comment:1 by , 5 years ago
Priority: | normal → critical |
---|
comment:2 by , 5 years ago
Component: | ffmpeg → avutil |
---|---|
Priority: | critical → normal |
follow-up: 4 comment:3 by , 5 years ago
comment:4 by , 5 years ago
Replying to cehoyos:
Please explain how the issue can be reproduced, this includes the command line you tested together with the complete, uncut console output.
This bug is detected by a static analysis tool that is developed by ourselves. Could you help to confirm the understanding of the code logic is correct?
comment:5 by , 5 years ago
Component: | avutil → tools |
---|---|
Priority: | normal → minor |
Please explain how the issue can be reproduced, this includes the command line you tested together with the complete, uncut console output.