[FFmpeg-devel] [PATCH] mjpegdec: Do not assume unused plane pointer are NULL.

Clément Bœsch u at pkh.me
Fri Feb 26 12:40:19 CET 2016


On Fri, Feb 26, 2016 at 11:29:05AM +0100, wm4 wrote:
> On Fri, 26 Feb 2016 02:38:13 +0100
> Michael Niedermayer <michael at niedermayer.cc> wrote:
> 
> > On Fri, Feb 26, 2016 at 12:15:19AM +0100, Reimar Döffinger wrote:
> > > We do neither document nor check such a requirement
> > > and for application-provided get_buffer2 they could
> > > contain the result of a malloc(0) or whatever value
> > > they had previously.
> > > This fixes a use-after-free in e.g. MPlayer:
> > > https://trac.mplayerhq.hu/ticket/2262
> > > We might want to consider changing the (documented)
> > > API in addition though.
> > > 
> > > Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> > > ---
> > >  libavcodec/mjpegdec.c | 8 +++++---
> > >  1 file changed, 5 insertions(+), 3 deletions(-)  
> > 
> > the assumtation that unused plane pointers are NULL is more
> > widespread than mjpeg i think
> > 
> > also, is it really a good idea to leave stale pointers in the array?
> > 
> > [...]
> 
> Unfortunately I have to agree. I got some crashes in libavfilter when I
> didn't set some "unused" plane pointers to NULL. Some code is just lazy
> and checks plane pointers for NULL, instead of retrieving the proper
> plane count.

lavfi seems to do both sometimes. For example:
☭ git grep '\[plane\] &&'
libavfilter/vf_boxblur.c:    for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++)
libavfilter/vf_boxblur.c:    for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++)
libavfilter/vf_fieldmatch.c:    for (plane = 0; plane < 4 && src->data[plane] && src->linesize[plane]; plane++) {
libavfilter/vf_fieldorder.c:    for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) {
libavfilter/vf_framerate.c:        for (plane = 0; plane < 4 && copy_src1->data[plane] && copy_src2->data[plane]; plane++) {
libavfilter/vf_framerate.c:        for (plane = 0; plane < 4 && copy_src1->data[plane] && copy_src2->data[plane]; plane++) {
libavfilter/vf_hflip.c:    for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) {
libavfilter/vf_kerndeint.c:    for (plane = 0; plane < 4 && inpic->data[plane] && inpic->linesize[plane]; plane++) {
libavfilter/vf_lut.c:        for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) {
libavfilter/vf_lut.c:        for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) {
libavfilter/vf_mpdecimate.c:    for (plane = 0; ref->data[plane] && ref->linesize[plane]; plane++) {
libavfilter/vf_pad.c:    for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) {
libavfilter/vf_showinfo.c:    for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) {
libavfilter/vf_showinfo.c:    for (plane = 1; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++)
libavfilter/vf_showinfo.c:    for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++)
libavfilter/vf_showinfo.c:    for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++)
libavfilter/vf_vignette.c:        for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) {

-- 
Clément B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160226/a0f1f78a/attachment.sig>


More information about the ffmpeg-devel mailing list