Message ID | 20161223203935.7970-1-george@nsup.org |
---|---|
State | New |
Headers | show |
On Fri, Dec 23, 2016 at 09:39:35PM +0100, Nicolas George wrote: > Signed-off-by: Nicolas George <george@nsup.org> > --- > libavformat/matroskaenc.c | 1 + > 1 file changed, 1 insertion(+) > > > I do not have time to fix this, but I got a few segfaults here, so it needs > to be fixed. Either push the patch or, better push an actual fix. instructions to reproduce the issue or a stack trace would make it easier for interrested people to fix this i can guess that maybe buf is NULL but thats just a guess [...]
L'octidi 28 nivôse, an CCXXV, Michael Niedermayer a écrit : > instructions to reproduce the issue or a stack trace would make it > easier for interrested people to fix this > > i can guess that maybe buf is NULL but thats just a guess Yes, it happens when flirting with OOM, when OOM happens in one of the allocations for dyn_buf, the error is kept and reported when calling avio_close_dyn_buf(), and in that case buf is NULL and causes a segfault a few lines below. Regards,
diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 827d7550c2..8e536f6774 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -351,6 +351,7 @@ static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, Matrosk if (pb->seekable) { size = avio_close_dyn_buf(*dyn_cp, &buf); + /* FIXME missing error check */ if (mkv->write_crc && mkv->mode != MODE_WEBM) { skip = 6; /* Skip reserved 6-byte long void element from the dynamic buffer. */ AV_WL32(crc, av_crc(av_crc_get_table(AV_CRC_32_IEEE_LE), UINT32_MAX, buf + skip, size - skip) ^ UINT32_MAX);
Signed-off-by: Nicolas George <george@nsup.org> --- libavformat/matroskaenc.c | 1 + 1 file changed, 1 insertion(+) I do not have time to fix this, but I got a few segfaults here, so it needs to be fixed. Either push the patch or, better push an actual fix.