[FFmpeg-devel] possible NULL access in av_strlcpy.c
Zhang Rui
bbcallen at gmail.com
Tue Sep 24 13:23:04 CEST 2013
Consider this url "rtsp://l.m.cztv.com:554/hdmi/hntv1hd.stream"
// in ff_rtsp_connect()
...
av_url_split(NULL, 0, auth, sizeof(auth), host, sizeof(host), &port,
path, sizeof(path), s->filename);
...
// in av_url_split()
...
av_strlcpy(proto, url, cp); //< proto is NULL here
...
// in av_strlcpy()
...
size_t av_strlcpy(char *dst, const char *src, size_t size)
{
size_t len = 0;
while (++len < size && *src)
*dst++ = *src++;
if (len <= size) {
//< crash here, even if dst=NULL, len=1, size=0
*dst = 0;
}
return len + strlen(src) - 1;
}
...
My configuration script:
https://github.com/bbcallen/ijkplayer/blob/da0de173bcc66592aef576bfcf47a771ca19dc3f/android/compile-ffmpeg.sh
OS X: 10.8.5
xcode: 4.6.5
NKDr9 with gcc 4.8
After removing "-fmodulo-sched -fmodulo-sched-allow-regmoves" from
"--extra-cflags", the crash didn't happen again.
"if(dst && len <= size)" can also fix this issue with "-fmodulo-sched" enabled.
BTW: This issue doesn't happen with Apple llvm 4.2 with same config enabled.
More information about the ffmpeg-devel
mailing list