[FFmpeg-devel] [PATCH v2] fftools/ffmpeg_filter: fix SEGV in choose_pix_fmts after avio_close_dyn_buf
Anton Khirnov
anton at khirnov.net
Wed Dec 1 13:48:45 EET 2021
Quoting Steven Liu (2021-12-01 12:37:40)
> Check avio_printf value and len from avio_close_dyn_buf, it should
> incorrect if they are not equal each other.
>
> Reported-by: TOTE Robot <oslab at tsinghua.edu.cn>
> Signed-off-by: Steven Liu <lq at chinaffmpeg.org>
> ---
> fftools/ffmpeg_filter.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fftools/ffmpeg_filter.c b/fftools/ffmpeg_filter.c
> index 452b689d62..ceb08b44f1 100644
> --- a/fftools/ffmpeg_filter.c
> +++ b/fftools/ffmpeg_filter.c
> @@ -105,6 +105,7 @@ static char *choose_pix_fmts(OutputFilter *ofilter)
> AVIOContext *s = NULL;
> uint8_t *ret;
> int len;
> + int name_new_size = 0;
>
> if (avio_open_dyn_buf(&s) < 0)
> exit_program(1);
> @@ -116,9 +117,11 @@ static char *choose_pix_fmts(OutputFilter *ofilter)
>
> for (; *p != AV_PIX_FMT_NONE; p++) {
> const char *name = av_get_pix_fmt_name(*p);
> - avio_printf(s, "%s|", name);
> + name_new_size = avio_printf(s, "%s|", name);
> }
> len = avio_close_dyn_buf(s, &ret);
> + if (len != name_new_size)
> + return NULL;
This will be wrong if there is more than one pixel format.
I'd say this should just forward errors from avio_printf(). The doxy for
avio_close_dyn_buf() says it returns the buffer lenght, implying it
cannot fail.
--
Anton Khirnov
More information about the ffmpeg-devel
mailing list