[FFmpeg-cvslog] avformat/imf_cpl: xmlNodeListGetString() can return NULL

Michael Niedermayer git at videolan.org
Wed Jul 26 00:18:50 EEST 2023 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Jul 23 20:03:01 2023 +0200| [509ce40f188734ec74078ebdd8d71f80116d9eaf] | committer: Michael Niedermayer

avformat/imf_cpl: xmlNodeListGetString() can return NULL

Fixes: NULL pointer dereference
Fixes: 60166/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5998301577871360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Pierre-Anthony Lemieux <pal at sandflow.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=509ce40f188734ec74078ebdd8d71f80116d9eaf
---

 libavformat/imf_cpl.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c
index fe975c2f0c..69155d786d 100644
--- a/libavformat/imf_cpl.c
+++ b/libavformat/imf_cpl.c
@@ -75,6 +75,8 @@ int ff_imf_xml_read_uuid(xmlNodePtr element, AVUUID uuid)
     int ret = 0;
 
     xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
+    if (!element_text)
+        return AVERROR_INVALIDDATA;
     ret = av_uuid_urn_parse(element_text, uuid);
     if (ret)
         ret = AVERROR_INVALIDDATA;
@@ -88,7 +90,7 @@ int ff_imf_xml_read_rational(xmlNodePtr element, AVRational *rational)
     int ret = 0;
 
     xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
-    if (sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2)
+    if (element_text == NULL || sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2)
         ret = AVERROR_INVALIDDATA;
     xmlFree(element_text);
 
@@ -100,7 +102,7 @@ int ff_imf_xml_read_uint32(xmlNodePtr element, uint32_t *number)
     int ret = 0;
 
     xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
-    if (sscanf(element_text, "%" PRIu32, number) != 1)
+    if (element_text == NULL || sscanf(element_text, "%" PRIu32, number) != 1)
         ret = AVERROR_INVALIDDATA;
     xmlFree(element_text);
 
@@ -245,6 +247,8 @@ static int fill_timecode(xmlNodePtr cpl_element, FFIMFCPL *cpl)
         return AVERROR_INVALIDDATA;
 
     tc_str = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
+    if (!tc_str)
+        return AVERROR_INVALIDDATA;
     ret = parse_cpl_tc_type(tc_str, comps);
     xmlFree(tc_str);
     if (ret)

More information about the ffmpeg-cvslog mailing list