[FFmpeg-devel] [RFC] SDP Generation
Luca Abeni
lucabe72
Tue Jul 17 17:42:09 CEST 2007
Hi Michael,
thanks for the comments, and sorry again for the errors in my patch.
Michael Niedermayer wrote:
[...]
>> const char *name;
>> const char *info;
>> };
>
> please document the fields of structures
Ok. I am working on doxygenning the code, and I'll include all the
comments in the next patch.
>> static char *sdp_print(char *buff, int size, const char *fmt, ...)
>> {
>> va_list vl;
>> int res;
>>
>> if (buff == NULL) {
>> return NULL;
>> }
>
> how can this be true?
My reasoning was: if I fill the whole buffer, sdp_print() will be called
with size = 0, so it will return NULL, and next call to sdp_print() will
have buff = NULL. This if is to avoid repeating the check after every
call to sdp_print(). But this reasoning is wrong, because I
misunderstood the snprintf() return value (see below).
[...]
>> va_start(vl, fmt);
>> res = vsnprintf(buff, size, fmt, vl);
>> va_end(vl);
>> if (res <= 0) {
>> return NULL;
>> }
>
> how exactly is vsnprintf() supposed to return <=0 ?
If size == 0 (I expected this to happen because of my misunderstanding
of the return value) or in case of error (I just wanted to consider the
case in which vsnprintf() fails for some reason).
[...]
> argh, the whole code is a overcomplicated exploitable mess
>
> more precissely vsnprintf() will stop writing at the end of the buffer
> but the pointer you return will not be limited to the buffer size and
> is then used to calculate the remaining size which is negative but unsigned
> thus killing all checks in subsequent calls
Opss. I was under the impression that vsnprintf() printed at most n
characters, and returned the number of written characters. Sorry about
that, I'll fix the code going for an strlcatf()-like solution as you
suggest.
> [...]
>> static char *sdp_media_attributes(char *buff, int size, AVCodecContext *c, int payload_type)
>> {
>> char *config = NULL;
>>
>> switch (c->codec_id) {
>> case CODEC_ID_MPEG4:
>> if (c->flags & CODEC_FLAG_GLOBAL_HEADER) {
>> config = av_malloc(10 + c->extradata_size * 2);
>> if (config == NULL) {
>> av_log(NULL, AV_LOG_ERROR, "Cannot allocate memory for the config info\n");
>
> please check that 10 + c->extradata_size * 2 doesnt overflow
I think I did:
- "; config=" is 9 characters
- extradata is encoded in extradata_size * 2 characters
- then there is the \0 at the end
Am I missing something?
[...]
> case CODEC_TYPE_VIDEO : type = "video" ; break;
> case CODEC_TYPE_AUDIO : type = "audio" ; break;
> case CODEC_TYPE_SUBTITLE: type = "text" ; break;
> default : type = "application"; break;
Ok.
Thanks again for the review; I appreciate it!
Thanks,
Luca
More information about the ffmpeg-devel
mailing list