[FFmpeg-trac] #9364(undetermined:new): uninitialized value use

FFmpeg trac at avcodec.org
Fri Aug 6 01:11:51 EEST 2021 

#9364: uninitialized value use
-------------------------------------+-------------------------------------
             Reporter:  Andrew Bao   |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:
  undetermined                       |  unspecified
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Found by Andrew Bao with his usage-of-uninitialized value tool

 This bug is in the file libavdevice/opengl_enc.c and function
 opengl_read_limits():


 {{{
 586     int i, major, minor;
  587     const char *extensions, *version;
  588
  589     version = glGetString(GL_VERSION);
  590     extensions = glGetString(GL_EXTENSIONS);
  591     if (!version || !extensions) {
  592         av_log(h, AV_LOG_ERROR, "No OpenGL context initialized for
 the current thread\n");
  593         return AVERROR(ENOSYS);
  594     }
  595
  596     av_log(h, AV_LOG_DEBUG, "OpenGL version: %s\n", version);
  597     sscanf(version, "%d.%d", &major, &minor);
  598
  599     for (i = 0; required_extensions[i].extension; i++) {
  600         if (major < required_extensions[i].major &&
  601             (major == required_extensions[i].major && minor <
 required_extensions[i].minor) &&
  602             !strstr(extensions, required_extensions[i].extension)) {
  603             av_log(h, AV_LOG_ERROR, "Required extension %s is not
 supported.\n",
  604                    required_extensions[i].extension);
  605             av_log(h, AV_LOG_DEBUG, "Supported extensions are: %s\n",
 extensions);
  606             return AVERROR(ENOSYS);
  607         }
  608     }
 }}}

 in line 597, the code does not check sscanf failure. It is possible  that
 variable major and minor are in uninitialized state.

 Then these two variables are use in line 600 in a if condition, resulting
 in a uninitialized value use vulnerability.


 Suggested fix:
 Initialized value major and minor when they are allocated.

 {{{
 int major = 0;
 int minor = 0;
 }}}


 At the same time, check the failure of sscanf:

 {{{

   if(sscanf(version, "%d.%d", &major, &minor)!=2)
                   return ERROR;
 }}}
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/9364>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list