[FFmpeg-devel] [PATCH] Fix segfault when opening empty file

Michael Niedermayer michaelni
Sat Oct 17 22:32:07 CEST 2009 

On Sat, Oct 17, 2009 at 10:22:30PM +0200, Vitor Sessak wrote:
> Michael Niedermayer wrote:
>> On Sat, Oct 17, 2009 at 01:55:14AM +0200, Vitor Sessak wrote:
>>> $subj, to reproduce
>>>
>>> $ touch /tmp/file
>>> $ ffmpeg -i /tmp/file
>>>
>>> -Vitor
>>>  utils.c |    6 ++++++
>>>  1 file changed, 6 insertions(+)
>>> a0e169553dcd39a60c329e8b67342afe6cee9e8b  empty_file_crash.diff
>>> Index: libavformat/utils.c
>>> ===================================================================
>>> --- libavformat/utils.c	(revision 20260)
>>> +++ libavformat/utils.c	(working copy)
>>> @@ -469,6 +469,12 @@
>>>              /* read probe data */
>>>              pd->buf= av_realloc(pd->buf, probe_size + 
>>> AVPROBE_PADDING_SIZE);
>>>              pd->buf_size = get_buffer(pb, pd->buf, probe_size);
>>> +
>>> +            if (pd->buf_size < 0) {
>>> +                err = pd->buf_size;
>>> +                goto fail;
>>> +            }
>> if its done like that, then AVProbeData.buf_size needs a comment making it
>> clear that buf_size must stay signed, or some "size signedness cleanup"
>> would break this
>
> Good point. Attached is slightly more ugly but more robust.
>
> -Vitor

>  utils.c |   10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 1a0bd9be3e10e0369e96f1aa06c167f450049704  empty_file_crash2.diff
> Index: libavformat/utils.c
> ===================================================================
> --- libavformat/utils.c	(revision 20260)
> +++ libavformat/utils.c	(working copy)
> @@ -466,9 +466,17 @@
>  
>          for(probe_size= PROBE_BUF_MIN; probe_size<=PROBE_BUF_MAX && !fmt; probe_size<<=1){
>              int score= probe_size < PROBE_BUF_MAX ? AVPROBE_SCORE_MAX/4 : 0;
> +            int size;
>              /* read probe data */
>              pd->buf= av_realloc(pd->buf, probe_size + AVPROBE_PADDING_SIZE);
> -            pd->buf_size = get_buffer(pb, pd->buf, probe_size);
> +            size = get_buffer(pb, pd->buf, probe_size);
> +
> +            if (size < 0) {

hmm
if((int)pd->buf_size < 0)

should work too
and feel free to commit directly

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20091017/10153e45/attachment.pgp>

More information about the ffmpeg-devel mailing list