[FFmpeg-trac] #8095(avutil:new): do not munmap NULL pointers

FFmpeg trac at avcodec.org
Mon Aug 26 15:46:29 EEST 2019


#8095: do not munmap NULL pointers
-----------------------------------+--------------------------------------
             Reporter:  wurongxin  |                     Type:  defect
               Status:  new        |                 Priority:  normal
            Component:  avutil     |                  Version:  git-master
             Keywords:             |               Blocked By:
             Blocking:             |  Reproduced by developer:  0
Analyzed by developer:  0          |
-----------------------------------+--------------------------------------
 Summary of the bug:
 How to reproduce:
 {{{
 % ffmpeg -i input ... output
 ffmpeg version
 built on ...
 }}}
 Patches should be submitted to the ffmpeg-devel mailing list and not this
 bug tracker.

 In the source file doc/examples/avio_reading.c, the variable buffer is
 initialized as null pointer. After invoking av_file_map at Line 78, buffer
 can still be null pointer and the variable ret will be an error code.
 Then, it will jump to the label end. At Line 126, it will invoke the
 function av_file_unmap which eventually invoke munmap with the null
 pointer. This will cause some runtime errors. Similar bug can be found in
 other open source project:
 https://bugs.freedesktop.org/show_bug.cgi?id=107098. The following shows
 the relevant code snippet.


 doc/examples/avio_reading.c:

 63.  uint8_t *buffer = NULL, *avio_ctx_buffer = NULL;
 64.  size_t buffer_size, avio_ctx_buffer_size = 4096;

 …

 78.  ret = av_file_map(input_filename, &buffer, &buffer_size, 0, NULL);
 79.  if (ret < 0)
 80.      goto end;

 …

 118.  end:
 119.     avformat_close_input(&fmt_ctx);
 120.
 121.    /* note: the internal buffer could have changed, and be !=
 avio_ctx_buffer */
 122.    if (avio_ctx)
 123.        av_freep(&avio_ctx->buffer);
 124.    avio_context_free(&avio_ctx);
 125.
 126.    av_file_unmap(buffer, buffer_size);
 …



 libavutil/file.c:
 void av_file_unmap(uint8_t *bufptr, size_t size)
 {
 #if HAVE_MMAP
     munmap(bufptr, size);
 #elif HAVE_MAPVIEWOFFILE
     UnmapViewOfFile(bufptr);
 #else
     av_free(bufptr);
 #endif
 }


 int av_file_map(const char *filename, uint8_t **bufptr, size_t *size,
                 int log_offset, void *log_ctx)
 {
     FileLogContext file_log_ctx = { &file_log_ctx_class, log_offset,
 log_ctx };
     int err, fd = avpriv_open(filename, O_RDONLY);
     struct stat st;
     av_unused void *ptr;
     off_t off_size;
     char errbuf[128];
     *bufptr = NULL;

     if (fd < 0) {
         err = AVERROR(errno);
         av_strerror(err, errbuf, sizeof(errbuf));
         av_log(&file_log_ctx, AV_LOG_ERROR, "Cannot read file '%s': %s\n",
 filename, errbuf);
         return err;
     }

     if (fstat(fd, &st) < 0) {
         err = AVERROR(errno);
         av_strerror(err, errbuf, sizeof(errbuf));
         av_log(&file_log_ctx, AV_LOG_ERROR, "Error occurred in fstat():
 %s\n", errbuf);
         close(fd);
         return err;
     }

     off_size = st.st_size;
     if (off_size > SIZE_MAX) {
         av_log(&file_log_ctx, AV_LOG_ERROR,
                "File size for file '%s' is too big\n", filename);
         close(fd);
         return AVERROR(EINVAL);
     }
 …

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8095>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list