Message ID | 20211206122142.84235-1-young_chelsea@163.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] libswresample/swresamplec: Err num(negative-size) was used as a function parameter | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/makex86 | warning | New warnings during build |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
On Mon, Dec 06, 2021 at 08:21:42PM +0800, Yu Yang wrote: > If cannot allocate memory, ERROR(ENOMEM) '-12' as a parameter will be constantly being returned. > When run resample() firstly, negative size param would cause buffer-overflow and SEGV in swri_rematrix(). > When run swri_rematrix() firstly, resample() would not cause error but Err num as a wrong parameter passing. > Err num should be returned immediately. And remove assert to ensure the return of the error code. > > coredump info: > #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517) > #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9 > #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17 > #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12 > #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14 > #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17 > #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19 > #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13 > #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20 > #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15 > #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19 > #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20 > #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11 > #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12 > #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19 > #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12 > #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17 > #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11 > #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20 > #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15 > #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9 > #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 > > SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy > > Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> > Signed-off-by: Yu Yang <young_chelsea@163.com> > --- > libswresample/swresample.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/libswresample/swresample.c b/libswresample/swresample.c > index c03fe5528f..92ab6a9148 100644 > --- a/libswresample/swresample.c > +++ b/libswresample/swresample.c > @@ -644,6 +644,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co > if(s->resample_first){ > if(postin != midbuf) > out_count= resample(s, midbuf, out_count, postin, in_count); > + if (out_count < 0) > + return out_count; this doesnt look right [...]
> 2021年12月7日 下午7:25,Michael Niedermayer <michael@niedermayer.cc> 写道: > > On Mon, Dec 06, 2021 at 08:21:42PM +0800, Yu Yang wrote: >> If cannot allocate memory, ERROR(ENOMEM) '-12' as a parameter will be constantly being returned. >> When run resample() firstly, negative size param would cause buffer-overflow and SEGV in swri_rematrix(). >> When run swri_rematrix() firstly, resample() would not cause error but Err num as a wrong parameter passing. >> Err num should be returned immediately. And remove assert to ensure the return of the error code. >> >> coredump info: >> #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517) >> #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9 >> #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17 >> #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12 >> #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14 >> #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17 >> #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19 >> #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13 >> #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20 >> #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15 >> #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19 >> #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20 >> #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11 >> #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12 >> #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19 >> #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12 >> #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17 >> #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11 >> #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20 >> #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15 >> #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9 >> #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 >> >> SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy >> >> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> >> Signed-off-by: Yu Yang <young_chelsea@163.com> >> --- >> libswresample/swresample.c | 6 +++++- >> 1 file changed, 5 insertions(+), 1 deletion(-) >> >> diff --git a/libswresample/swresample.c b/libswresample/swresample.c >> index c03fe5528f..92ab6a9148 100644 >> --- a/libswresample/swresample.c >> +++ b/libswresample/swresample.c >> @@ -644,6 +644,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co >> if(s->resample_first){ > >> if(postin != midbuf) >> out_count= resample(s, midbuf, out_count, postin, in_count); >> + if (out_count < 0) >> + return out_count; > > this doesnt look right I could not understand your relpy. Do you mean this bug not exist, or this patch not good ? > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > No snowflake in an avalanche ever feels responsible. -- Voltaire > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Tue, Dec 07, 2021 at 08:12:53PM +0800, Yy wrote: > > > > 2021年12月7日 下午7:25,Michael Niedermayer <michael@niedermayer.cc> 写道: > > > > On Mon, Dec 06, 2021 at 08:21:42PM +0800, Yu Yang wrote: > >> If cannot allocate memory, ERROR(ENOMEM) '-12' as a parameter will be constantly being returned. > >> When run resample() firstly, negative size param would cause buffer-overflow and SEGV in swri_rematrix(). > >> When run swri_rematrix() firstly, resample() would not cause error but Err num as a wrong parameter passing. > >> Err num should be returned immediately. And remove assert to ensure the return of the error code. > >> > >> coredump info: > >> #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517) > >> #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9 > >> #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17 > >> #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12 > >> #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14 > >> #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17 > >> #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19 > >> #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13 > >> #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20 > >> #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15 > >> #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19 > >> #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20 > >> #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11 > >> #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12 > >> #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19 > >> #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12 > >> #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17 > >> #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11 > >> #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20 > >> #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15 > >> #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9 > >> #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 > >> > >> SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy > >> > >> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> > >> Signed-off-by: Yu Yang <young_chelsea@163.com> > >> --- > >> libswresample/swresample.c | 6 +++++- > >> 1 file changed, 5 insertions(+), 1 deletion(-) > >> > >> diff --git a/libswresample/swresample.c b/libswresample/swresample.c > >> index c03fe5528f..92ab6a9148 100644 > >> --- a/libswresample/swresample.c > >> +++ b/libswresample/swresample.c > >> @@ -644,6 +644,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co > >> if(s->resample_first){ > > > >> if(postin != midbuf) > >> out_count= resample(s, midbuf, out_count, postin, in_count); > >> + if (out_count < 0) > >> + return out_count; > > > > this doesnt look right > I could not understand your relpy. Do you mean this bug not exist, or this patch not good ? The patch looks wrong Do you see the difference between teh 3 pieces of code below: if(postin != midbuf) out_count= resample(s, midbuf, out_count, postin, in_count); if (out_count < 0) return out_count; if(postin != midbuf) out_count= resample(s, midbuf, out_count, postin, in_count); if (out_count < 0) return out_count; if(postin != midbuf) { out_count= resample(s, midbuf, out_count, postin, in_count); if (out_count < 0) return out_count; } [...]
> 2021年12月7日 下午8:42,Michael Niedermayer <michael@niedermayer.cc> 写道: > > On Tue, Dec 07, 2021 at 08:12:53PM +0800, Yy wrote: >> >> >>> 2021年12月7日 下午7:25,Michael Niedermayer <michael@niedermayer.cc> 写道: >>> >>> On Mon, Dec 06, 2021 at 08:21:42PM +0800, Yu Yang wrote: >>>> If cannot allocate memory, ERROR(ENOMEM) '-12' as a parameter will be constantly being returned. >>>> When run resample() firstly, negative size param would cause buffer-overflow and SEGV in swri_rematrix(). >>>> When run swri_rematrix() firstly, resample() would not cause error but Err num as a wrong parameter passing. >>>> Err num should be returned immediately. And remove assert to ensure the return of the error code. >>>> >>>> coredump info: >>>> #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517) >>>> #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9 >>>> #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17 >>>> #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12 >>>> #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14 >>>> #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17 >>>> #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19 >>>> #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13 >>>> #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20 >>>> #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15 >>>> #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19 >>>> #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20 >>>> #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11 >>>> #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12 >>>> #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19 >>>> #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12 >>>> #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17 >>>> #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11 >>>> #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20 >>>> #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15 >>>> #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9 >>>> #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 >>>> >>>> SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy >>>> >>>> Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> >>>> Signed-off-by: Yu Yang <young_chelsea@163.com> >>>> --- >>>> libswresample/swresample.c | 6 +++++- >>>> 1 file changed, 5 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/libswresample/swresample.c b/libswresample/swresample.c >>>> index c03fe5528f..92ab6a9148 100644 >>>> --- a/libswresample/swresample.c >>>> +++ b/libswresample/swresample.c >>>> @@ -644,6 +644,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co >>>> if(s->resample_first){ >>> >>>> if(postin != midbuf) >>>> out_count= resample(s, midbuf, out_count, postin, in_count); >>>> + if (out_count < 0) >>>> + return out_count; >>> >>> this doesnt look right >> I could not understand your relpy. Do you mean this bug not exist, or this patch not good ? > > The patch looks wrong > Do you see the difference between teh 3 pieces of code below: > > if(postin != midbuf) > out_count= resample(s, midbuf, out_count, postin, in_count); > if (out_count < 0) > return out_count; > > > if(postin != midbuf) > out_count= resample(s, midbuf, out_count, postin, in_count); > if (out_count < 0) > return out_count; > > > if(postin != midbuf) { > out_count= resample(s, midbuf, out_count, postin, in_count); > if (out_count < 0) > return out_count; > } Ohhhh, my god. It is my fault. The indentation here is misleading. This is the second time that I made this mistake. Your case above is so wonderful. I would remember not to make this mistake again. It seems like ‘out_count’ > 0 when it correct. I will check this part code again. Thank you very much. :) > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Its not that you shouldnt use gotos but rather that you should write > readable code and code with gotos often but not always is less readable > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libswresample/swresample.c b/libswresample/swresample.c index c03fe5528f..92ab6a9148 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -644,6 +644,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co if(s->resample_first){ if(postin != midbuf) out_count= resample(s, midbuf, out_count, postin, in_count); + if (out_count < 0) + return out_count; if(midbuf != preout) swri_rematrix(s, preout, midbuf, out_count, preout==out); }else{ @@ -651,6 +653,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co swri_rematrix(s, midbuf, postin, in_count, midbuf==out); if(midbuf != preout) out_count= resample(s, preout, out_count, midbuf, in_count); + if (out_count < 0) + return out_count; } if(preout != out && out_count){ @@ -769,7 +773,7 @@ int attribute_align_arg swr_convert(struct SwrContext *s, if(ret>0 && !s->drop_output) s->outpts += ret * (int64_t)s->in_sample_rate; - av_assert2(max_output < 0 || ret < 0 || ret <= max_output); + av_assert2(max_output < 0 || ret <= max_output); return ret; }else{
If cannot allocate memory, ERROR(ENOMEM) '-12' as a parameter will be constantly being returned. When run resample() firstly, negative size param would cause buffer-overflow and SEGV in swri_rematrix(). When run swri_rematrix() firstly, resample() would not cause error but Err num as a wrong parameter passing. Err num should be returned immediately. And remove assert to ensure the return of the error code. coredump info: #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517) #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9 #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17 #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12 #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14 #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17 #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19 #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13 #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20 #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15 #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19 #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20 #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11 #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12 #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19 #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12 #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17 #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11 #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20 #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15 #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9 #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by: Yu Yang <young_chelsea@163.com> --- libswresample/swresample.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)