[FFmpeg-devel] [PATCH] avutil/hwcontext: check the null pointer input value before use it

Steven Liu lq at chinaffmpeg.org
Fri Feb 11 03:43:20 EET 2022 


> 2022年2月10日 下午8:27,James Almer <jamrial at gmail.com> 写道:
> 
> On 2/10/2022 9:20 AM, Steven Liu wrote:
>> because the src, src->hw_frames_ctx and src->hw_frames_ctx->data can be
>> set to null when the user calling av_hwframe_transfer_data, this will
>> get crash if they are null.
> 
> src can not be NULL. The doxy doesn't allow it.

Hi James,

User call av_hwframe_transfer_data like this:

av_hwframe_transfer_data(dst, NULL, 0);

It will crash when dst->buf[0] is null.
Because dst->buf[0] is null and src is null, it will call transfer_data_alloc, but the first line is ctx = (AVHWFramesContext*)src->hw_frames_ctx->data; in transfer_data_alloc,
It using src->hw_frames_ctx. 

av_hwframe_transfer_data is av_*, it is API to user.
Maybe this is not logic problem, looks like a security problem.
> 
> And if transfer_data_alloc() is called, it's because dst is "clean", and src must then have a hw_frames_ctx (The doxy explicitly states "At least one of dst/src must have an AVHWFramesContext attached").
> 
>> Signed-off-by: Steven Liu <lq at chinaffmpeg.org>
>> ---
>>  libavutil/hwcontext.c | 5 ++++-
>>  1 file changed, 4 insertions(+), 1 deletion(-)
>> diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
>> index 31c7840dba..b42a3a6d4d 100644
>> --- a/libavutil/hwcontext.c
>> +++ b/libavutil/hwcontext.c
>> @@ -396,10 +396,13 @@ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
>>    static int transfer_data_alloc(AVFrame *dst, const AVFrame *src, int flags)
>>  {
>> -    AVHWFramesContext *ctx = (AVHWFramesContext*)src->hw_frames_ctx->data;
>> +    AVHWFramesContext *ctx = NULL;
>>      AVFrame *frame_tmp;
>>      int ret = 0;
>>  +    if (!src || !src->hw_frames_ctx || !src->hw_frames_ctx->data)
>> +        return AVERROR(EINVAL);
>> +    ctx = (AVHWFramesContext*)src->hw_frames_ctx->data;
>>      frame_tmp = av_frame_alloc();
>>      if (!frame_tmp)
>>          return AVERROR(ENOMEM);
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> 

Thanks

Steven Liu

More information about the ffmpeg-devel mailing list