Opened 4 years ago
Closed 3 years ago
#8931 closed defect (fixed)
Some potential Null pointer dereference bugs.
Reported by: | yunlongs | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | git-master | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
I have found some potential null pointer dereference bugs,which due to lack necessary checks after some memory alloc function.
These can cause segmentation fault with no error massages.
Bug 1: libavfilter/af_mcompand.c
388: s->bands[i].attack_rate = av_calloc(outlink->channels, sizeof(double)); 389: s->bands[i].decay_rate = av_calloc(outlink->channels, sizeof(double)); 390: s->bands[i].volume = av_calloc(outlink->channels, sizeof(double)); for (k = 0; k < FFMIN(nb_attacks / 2, outlink->channels); k++) {...}
I have read the definition of av_calloc carefully and found it can have some ways to return NULL.But we have not check the returned pointer after line 388,389,390 and directly use them in the for loop.
Bug 2:dnn_backend_native.c
82: AVFrame *in_frame = av_frame_alloc(); 83: AVFrame *out_frame = av_frame_alloc(); in_frame->width = input_width; in_frame->height = input_height;
Same to Bug1 ,forget to check ther return value of av_frame_alloc() and directly use them.
Bug 3:libavfilter/dnn/dnn_backend_native_layer_conv2d.c
227: thread_param[i] = av_malloc(sizeof(**thread_param)); 228: thread_param[i]->thread_common_param = &thread_common_param; ... 246: thread_param[0] = av_malloc(sizeof(**thread_param)); 247: thread_param[0]->thread_common_param = &thread_common_param;
Forget to check the retrun value of av_malloc and directly use them.
Bug 4:libavformat/avidec.c
1075: AVIOContext *pb = avio_alloc_context(pkt->data + 7, pkt->size - 7, 0, NULL, NULL, NULL, NULL); 1081: if (desc_len > pb->buf_end - pb->buf_ptr)
Forget to check the retrun value of avio_alloc_context and directly use them.
Bug 5:libavformat/hls.c
830: cur_init_section = new_init_section(pls, &info, url); 831: cur_init_section->key_type = key_type;
Forget to check the retrun value of new_init_sectionand directly use them.
Fix them can make your project more robust, please consider them,thanks.
All reported issues got fixed:
46f3ae8f672533a380dea7c4e13c84d52014de6c
ad95e5e45dbb3c3dddc3e2c3fe93bc98f239bd29
d14ae74064a841d8a24aec78e9143fba01ce7003
0c90377a402d10279a4133034d8dd66c1809d42c
28c83584e8f3cd747c1476a74cc2841d3d1fa7f3