[FFmpeg-cvslog] avfilter/graphparser: Don't set pointer to one beyond '\0' of string

Andreas Rheinhardt git at videolan.org
Sun Aug 23 21:17:31 EEST 2020


ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Sun Aug 23 00:31:17 2020 +0200| [f33faa5b9bfb288f83db034fa1f8719ab8a994c6] | committer: Andreas Rheinhardt

avfilter/graphparser: Don't set pointer to one beyond '\0' of string

This happened in parse_link_name() if there was a '[' without matching
']'. While this is not undefined behaviour (pointer arithmetic one
beyond the end of an array works fine as long as there are no accesses),
it is potentially dangerous. It currently isn't (all callers of
parse_link_name() treat this as an error and don't access the string any
more), but making sure that this will never cause trouble in the future
seems nevertheless worthwhile.

Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f33faa5b9bfb288f83db034fa1f8719ab8a994c6
---

 libavfilter/graphparser.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c
index dfb94788e1..e96b20418e 100644
--- a/libavfilter/graphparser.c
+++ b/libavfilter/graphparser.c
@@ -63,7 +63,7 @@ static char *parse_link_name(const char **buf, void *log_ctx)
 
     name = av_get_token(buf, "]");
     if (!name)
-        goto fail;
+        return NULL;
 
     if (!name[0]) {
         av_log(log_ctx, AV_LOG_ERROR,
@@ -71,12 +71,14 @@ static char *parse_link_name(const char **buf, void *log_ctx)
         goto fail;
     }
 
-    if (*(*buf)++ != ']') {
+    if (**buf != ']') {
         av_log(log_ctx, AV_LOG_ERROR,
                "Mismatched '[' found in the following: \"%s\".\n", start);
     fail:
         av_freep(&name);
+        return NULL;
     }
+    (*buf)++;
 
     return name;
 }



More information about the ffmpeg-cvslog mailing list