[FFmpeg-trac] #8095(avutil:new): do not munmap NULL pointers
FFmpeg
trac at avcodec.org
Mon Aug 26 15:46:29 EEST 2019
#8095: do not munmap NULL pointers
-----------------------------------+--------------------------------------
Reporter: wurongxin | Type: defect
Status: new | Priority: normal
Component: avutil | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+--------------------------------------
Summary of the bug:
How to reproduce:
{{{
% ffmpeg -i input ... output
ffmpeg version
built on ...
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
In the source file doc/examples/avio_reading.c, the variable buffer is
initialized as null pointer. After invoking av_file_map at Line 78, buffer
can still be null pointer and the variable ret will be an error code.
Then, it will jump to the label end. At Line 126, it will invoke the
function av_file_unmap which eventually invoke munmap with the null
pointer. This will cause some runtime errors. Similar bug can be found in
other open source project:
https://bugs.freedesktop.org/show_bug.cgi?id=107098. The following shows
the relevant code snippet.
doc/examples/avio_reading.c:
63. uint8_t *buffer = NULL, *avio_ctx_buffer = NULL;
64. size_t buffer_size, avio_ctx_buffer_size = 4096;
…
78. ret = av_file_map(input_filename, &buffer, &buffer_size, 0, NULL);
79. if (ret < 0)
80. goto end;
…
118. end:
119. avformat_close_input(&fmt_ctx);
120.
121. /* note: the internal buffer could have changed, and be !=
avio_ctx_buffer */
122. if (avio_ctx)
123. av_freep(&avio_ctx->buffer);
124. avio_context_free(&avio_ctx);
125.
126. av_file_unmap(buffer, buffer_size);
…
libavutil/file.c:
void av_file_unmap(uint8_t *bufptr, size_t size)
{
#if HAVE_MMAP
munmap(bufptr, size);
#elif HAVE_MAPVIEWOFFILE
UnmapViewOfFile(bufptr);
#else
av_free(bufptr);
#endif
}
int av_file_map(const char *filename, uint8_t **bufptr, size_t *size,
int log_offset, void *log_ctx)
{
FileLogContext file_log_ctx = { &file_log_ctx_class, log_offset,
log_ctx };
int err, fd = avpriv_open(filename, O_RDONLY);
struct stat st;
av_unused void *ptr;
off_t off_size;
char errbuf[128];
*bufptr = NULL;
if (fd < 0) {
err = AVERROR(errno);
av_strerror(err, errbuf, sizeof(errbuf));
av_log(&file_log_ctx, AV_LOG_ERROR, "Cannot read file '%s': %s\n",
filename, errbuf);
return err;
}
if (fstat(fd, &st) < 0) {
err = AVERROR(errno);
av_strerror(err, errbuf, sizeof(errbuf));
av_log(&file_log_ctx, AV_LOG_ERROR, "Error occurred in fstat():
%s\n", errbuf);
close(fd);
return err;
}
off_size = st.st_size;
if (off_size > SIZE_MAX) {
av_log(&file_log_ctx, AV_LOG_ERROR,
"File size for file '%s' is too big\n", filename);
close(fd);
return AVERROR(EINVAL);
}
…
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8095>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list