[FFmpeg-devel] Null pointer dereference?
Ronald S. Bultje
rsbultje at gmail.com
Tue May 9 22:25:44 EEST 2017
Hi,
On Mon, May 8, 2017 at 3:08 PM, Zubin Mevawalla <zubinmeva at qbitlogic.com>
wrote:
> If `bufptr` is NULL, and `len` >= 12, then `buf` is initialized to NULL
> and dereferenced on line 796.
>
> diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c
> --- a/libavformat/rtpdec.c
> +++ b/libavformat/rtpdec.c
> @@ -793,8 +793,10 @@ static int rtp_parse_one_packet(RTPDemuxContext
> *s, AVPacket *pkt,
> if (len < 12)
> return -1;
>
> - if ((buf[0] & 0xc0) != (RTP_VERSION << 6))
>
In callers, we're assuming that (rtsp.c line 2158/2160) if len > 0, bufptr
!= NULL and thus buf != NULL. Likewise, len == 0 implies that bufptr ==
NULL and thus buf == NULL.
Ronald
More information about the ffmpeg-devel
mailing list