[FFmpeg-devel] [PATCH v2] fftools/ffmpeg_filter: fix SEGV in choose_pix_fmts after avio_close_dyn_buf

Anton Khirnov anton at khirnov.net
Wed Dec 1 13:48:45 EET 2021


Quoting Steven Liu (2021-12-01 12:37:40)
> Check avio_printf value and len from avio_close_dyn_buf, it should
> incorrect if they are not equal each other.
> 
> Reported-by: TOTE Robot <oslab at tsinghua.edu.cn>
> Signed-off-by: Steven Liu <lq at chinaffmpeg.org>
> ---
>  fftools/ffmpeg_filter.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/fftools/ffmpeg_filter.c b/fftools/ffmpeg_filter.c
> index 452b689d62..ceb08b44f1 100644
> --- a/fftools/ffmpeg_filter.c
> +++ b/fftools/ffmpeg_filter.c
> @@ -105,6 +105,7 @@ static char *choose_pix_fmts(OutputFilter *ofilter)
>          AVIOContext *s = NULL;
>          uint8_t *ret;
>          int len;
> +        int name_new_size = 0;
>  
>          if (avio_open_dyn_buf(&s) < 0)
>              exit_program(1);
> @@ -116,9 +117,11 @@ static char *choose_pix_fmts(OutputFilter *ofilter)
>  
>          for (; *p != AV_PIX_FMT_NONE; p++) {
>              const char *name = av_get_pix_fmt_name(*p);
> -            avio_printf(s, "%s|", name);
> +            name_new_size = avio_printf(s, "%s|", name);
>          }
>          len = avio_close_dyn_buf(s, &ret);
> +        if (len != name_new_size)
> +            return NULL;

This will be wrong if there is more than one pixel format.

I'd say this should just forward errors from avio_printf(). The doxy for
avio_close_dyn_buf() says it returns the buffer lenght, implying it
cannot fail.

-- 
Anton Khirnov


More information about the ffmpeg-devel mailing list