[FFmpeg-devel] [PATCH] Fix segfault when opening empty file

Vitor Sessak vitor1001
Sat Oct 17 22:38:15 CEST 2009 

Michael Niedermayer wrote:
> On Sat, Oct 17, 2009 at 10:22:30PM +0200, Vitor Sessak wrote:
>> Michael Niedermayer wrote:
>>> On Sat, Oct 17, 2009 at 01:55:14AM +0200, Vitor Sessak wrote:
>>>> $subj, to reproduce
>>>>
>>>> $ touch /tmp/file
>>>> $ ffmpeg -i /tmp/file
>>>>
>>>> -Vitor
>>>>  utils.c |    6 ++++++
>>>>  1 file changed, 6 insertions(+)
>>>> a0e169553dcd39a60c329e8b67342afe6cee9e8b  empty_file_crash.diff
>>>> Index: libavformat/utils.c
>>>> ===================================================================
>>>> --- libavformat/utils.c	(revision 20260)
>>>> +++ libavformat/utils.c	(working copy)
>>>> @@ -469,6 +469,12 @@
>>>>              /* read probe data */
>>>>              pd->buf= av_realloc(pd->buf, probe_size + 
>>>> AVPROBE_PADDING_SIZE);
>>>>              pd->buf_size = get_buffer(pb, pd->buf, probe_size);
>>>> +
>>>> +            if (pd->buf_size < 0) {
>>>> +                err = pd->buf_size;
>>>> +                goto fail;
>>>> +            }
>>> if its done like that, then AVProbeData.buf_size needs a comment making it
>>> clear that buf_size must stay signed, or some "size signedness cleanup"
>>> would break this
>> Good point. Attached is slightly more ugly but more robust.
>>
>> -Vitor
> 
>>  utils.c |   10 +++++++++-
>>  1 file changed, 9 insertions(+), 1 deletion(-)
>> 1a0bd9be3e10e0369e96f1aa06c167f450049704  empty_file_crash2.diff
>> Index: libavformat/utils.c
>> ===================================================================
>> --- libavformat/utils.c	(revision 20260)
>> +++ libavformat/utils.c	(working copy)
>> @@ -466,9 +466,17 @@
>>  
>>          for(probe_size= PROBE_BUF_MIN; probe_size<=PROBE_BUF_MAX && !fmt; probe_size<<=1){
>>              int score= probe_size < PROBE_BUF_MAX ? AVPROBE_SCORE_MAX/4 : 0;
>> +            int size;
>>              /* read probe data */
>>              pd->buf= av_realloc(pd->buf, probe_size + AVPROBE_PADDING_SIZE);
>> -            pd->buf_size = get_buffer(pb, pd->buf, probe_size);
>> +            size = get_buffer(pb, pd->buf, probe_size);
>> +
>> +            if (size < 0) {
> 
> hmm
> if((int)pd->buf_size < 0)
> 
> should work too
> and feel free to commit directly

Done.

-Vitor

More information about the ffmpeg-devel mailing list