[FFmpeg-devel] Null pointer dereference?

Ronald S. Bultje rsbultje at gmail.com
Tue May 9 22:25:44 EEST 2017


Hi,

On Mon, May 8, 2017 at 3:08 PM, Zubin Mevawalla <zubinmeva at qbitlogic.com>
wrote:

> If `bufptr` is NULL, and `len` >= 12, then `buf` is initialized to NULL
> and dereferenced on line 796.
>
> diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c
> --- a/libavformat/rtpdec.c
> +++ b/libavformat/rtpdec.c
> @@ -793,8 +793,10 @@ static int rtp_parse_one_packet(RTPDemuxContext
> *s, AVPacket *pkt,
>      if (len < 12)
>          return -1;
>
> -    if ((buf[0] & 0xc0) != (RTP_VERSION << 6))
>

In callers, we're assuming that (rtsp.c line 2158/2160) if len > 0, bufptr
!= NULL and thus buf != NULL. Likewise, len == 0 implies that bufptr ==
NULL and thus buf == NULL.

Ronald


More information about the ffmpeg-devel mailing list