[FFmpeg-devel] [PATCH] libavformat/hlsenc: Use of uninitialized memory unlinking old files

Sat Oct 3 20:23:13 CEST 2015

Pinging this issue. While likely not a security concern it does cause
uninitialized memory to be printed to the user's terminal and that's pretty
bad.

On 10/01/2015 07:21 PM, DeHackEd wrote:
> From: DHE <git at dehacked.net>
> 
> Fixes ticket#4900
> 
> Signed-off-by: DHE <git at dehacked.net>
> ---
>  libavformat/hlsenc.c | 29 +++++++++++++++++------------
>  1 file changed, 17 insertions(+), 12 deletions(-)
> 
> diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
> index 473ca3a..8daf53f 100644
> --- a/libavformat/hlsenc.c
> +++ b/libavformat/hlsenc.c
> @@ -165,12 +165,6 @@ static int hls_delete_old_segments(HLSContext *hls) {
>              ret = AVERROR(ENOMEM);
>              goto fail;
>          }
> -        sub_path_size = strlen(dirname) + strlen(segment->sub_filename) + 1;
> -        sub_path = av_malloc(sub_path_size);
> -        if (!sub_path) {
> -            ret = AVERROR(ENOMEM);
> -            goto fail;
> -        }
>  
>          av_strlcpy(path, dirname, path_size);
>          av_strlcat(path, segment->filename, path_size);
> @@ -179,14 +173,23 @@ static int hls_delete_old_segments(HLSContext *hls) {
>                                       path, strerror(errno));
>          }
>  
> -        av_strlcpy(sub_path, dirname, sub_path_size);
> -        av_strlcat(sub_path, segment->sub_filename, sub_path_size);
> -        if (unlink(sub_path) < 0) {
> -            av_log(hls, AV_LOG_ERROR, "failed to delete old segment %s: %s\n",
> -                                     sub_path, strerror(errno));
> +        if (segment->sub_filename[0] != '\0') {
> +            sub_path_size = strlen(dirname) + strlen(segment->sub_filename) + 1;
> +            sub_path = av_malloc(sub_path_size);
> +            if (!sub_path) {
> +                ret = AVERROR(ENOMEM);
> +                goto fail;
> +            }
> +
> +            av_strlcpy(sub_path, dirname, sub_path_size);
> +            av_strlcat(sub_path, segment->sub_filename, sub_path_size);
> +            if (unlink(sub_path) < 0) {
> +                av_log(hls, AV_LOG_ERROR, "failed to delete old segment %s: %s\n",
> +                                         sub_path, strerror(errno));
> +            }
> +            av_free(sub_path);
>          }
>          av_freep(&path);
> -        av_free(sub_path);
>          previous_segment = segment;
>          segment = previous_segment->next;
>          av_free(previous_segment);
> @@ -312,6 +315,8 @@ static int hls_append_segment(HLSContext *hls, double duration, int64_t pos,
>  
>      if(hls->has_subtitle)
>          av_strlcpy(en->sub_filename, av_basename(hls->vtt_avf->filename), sizeof(en->sub_filename));
> +    else
> +        en->sub_filename[0] = '\0';
>  
>      en->duration = duration;
>      en->pos      = pos;
> 