[FFmpeg-devel] [PATCH] avutil/hwcontext: check the null pointer input value before use it
Steven Liu
lq at chinaffmpeg.org
Fri Feb 11 04:03:33 EET 2022
> 2022年2月11日 上午10:01,James Almer <jamrial at gmail.com> 写道:
>
> On 2/10/2022 10:43 PM, Steven Liu wrote:
>>> 2022年2月10日 下午8:27,James Almer <jamrial at gmail.com> 写道:
>>>
>>> On 2/10/2022 9:20 AM, Steven Liu wrote:
>>>> because the src, src->hw_frames_ctx and src->hw_frames_ctx->data can be
>>>> set to null when the user calling av_hwframe_transfer_data, this will
>>>> get crash if they are null.
>>>
>>> src can not be NULL. The doxy doesn't allow it.
>> Hi James,
>> User call av_hwframe_transfer_data like this:
>> av_hwframe_transfer_data(dst, NULL, 0);
>> It will crash when dst->buf[0] is null.
>> Because dst->buf[0] is null and src is null, it will call transfer_data_alloc, but the first line is ctx = (AVHWFramesContext*)src->hw_frames_ctx->data; in transfer_data_alloc,
>> It using src->hw_frames_ctx.
>> av_hwframe_transfer_data is av_*, it is API to user.
>> Maybe this is not logic problem, looks like a security problem.
>
> I know what happens when you pass NULL as src argument. My point is that it's not a security problem because that's an API violation and an explicitly forbidden scenario: Neither src or dst can be NULL, and at least one of them must have an AVHWFramesContext attached. Any application not following that is faulty and buggy, and needs to be fixed.
>
> And you can get crashes by passing NULL arguments to lots of public libav* functions, not just this one.
Won’t we fix them?
Thanks
Steven Liu
More information about the ffmpeg-devel
mailing list