[Ffmpeg-devel] [BUG] ff_eval causes segfault on illegal input

Panagiotis Issaris takis.issaris
Sun Sep 24 12:11:37 CEST 2006


ff_eval() in eval.c causes a segfault when its input makes no sense.

The bug can be triggered by:
ffmpeg -i src.avi -rc_eq takis dst.avi

Results in:
takis at hemera:~$ ffmpeg
-i /mnt/windata/dvold/doopfeest2/nieuwevideos2003.12.28_21-46-09.dv
-rc_eq takis /tmp/bla.avi
FFmpeg version SVN-r6252, Copyright (c) 2000-2004 Fabrice Bellard
  configuration:  --enable-x264 --enable-gpl --enable-xvid --enable-a52
--enable-dts --enable-libgsm --enable-faac --enable-faad
--enable-mp3lame --enable-libogg --enable-vorbis --enable-pp
  libavutil version: 49.0.0
  libavcodec version: 51.14.0
  libavformat version: 50.5.0
  built on Sep 14 2006 21:12:06, gcc: 4.0.2 20050808 (prerelease)
(Ubuntu 4.0.1-4ubuntu9)
Input #0, dv, from
  Duration: 00:00:26.2, start: 0.000000, bitrate: 28800 kb/s
  Stream #0.0: Video: dvvideo, yuv420p, 720x576, 28800 kb/s, 25.00
  Stream #0.1: Audio: pcm_s16le, 48000 Hz, stereo, 1536 kb/s
File '/tmp/bla.avi' already exists. Overwrite ? [y/N] y
Output #0, avi, to '/tmp/bla.avi':
  Stream #0.0: Video: mpeg4, yuv420p, 720x576, q=2-31, 200 kb/s, 25.00
  Stream #0.1: Audio: mp2, 48000 Hz, stereo, 64 kb/s
Stream mapping:
  Stream #0.0 -> #0.0
  Stream #0.1 -> #0.1
Press [q] to stop encoding
Parser: missing ( in "takis"
Segmentatie fout
takis at hemera:~$

In evalPrimary() the strchr() function is used to search for '('. This
function returns NULL if the character cannot be found. The current code
  p->s = strchr(p->s, '(');
  if(p->s==NULL) {
return NAN;
Thus, if '(' is not found, p->s gets set to NULL and execution is
continued at the calling function. The calling function is evalPow()
which returns nearly immediately, so execution continues in
evalFactor(). In evalFactor(), p->s is dereferenced, causing a segfault.

So, I can fix it by:
* Adding the returns as I did in the original patch when I did not yet
fully understand the problem.
* Change the abovementioned code, so that it does not modify p->s but
uses a temporary pointer instead, checking if it is NULL first before
modifying p->s.

With friendly regards,

More information about the ffmpeg-devel mailing list