[FFmpeg-devel,v1] avformat/mpeg: fix CID 1455132: Memory - illegal accesses (UNINIT)

Submitted by lance.lmwang@gmail.com on Oct. 24, 2019, 1:36 a.m.

Details

Message ID 20191024013631.1396-1-lance.lmwang@gmail.com
State New
Headers show

Commit Message

lance.lmwang@gmail.com Oct. 24, 2019, 1:36 a.m.
From: Limin Wang <lance.lmwang@gmail.com>

Before header_str is initialized, the code is possible to goto end and free the
header_str and cause invalid access.

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
---
 libavformat/mpeg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Andreas Rheinhardt Oct. 24, 2019, 2:07 a.m.
On Thu, Oct 24, 2019 at 3:36 AM <lance.lmwang@gmail.com> wrote:

> From: Limin Wang <lance.lmwang@gmail.com>
>
> Before header_str is initialized, the code is possible to goto end and
> free the
> header_str and cause invalid access.
>
> Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
> ---
>  libavformat/mpeg.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
> index c33401f1a0..ebc064931a 100644
> --- a/libavformat/mpeg.c
> +++ b/libavformat/mpeg.c
> @@ -720,7 +720,7 @@ static int vobsub_read_header(AVFormatContext *s)
>      int i, ret = 0, header_parsed = 0, langidx = 0;
>      MpegDemuxContext *vobsub = s->priv_data;
>      size_t fname_len;
> -    char *header_str;
> +    char *header_str = NULL;
>      AVBPrint header;
>      int64_t delay = 0;
>      AVStream *st = NULL;
> --
> 2.21.0
>
> Posted a patch for this two days ago:
https://ffmpeg.org/pipermail/ffmpeg-devel/2019-October/251957.html

- Andreas
lance.lmwang@gmail.com Oct. 24, 2019, 1:49 p.m.
On Thu, Oct 24, 2019 at 04:07:37AM +0200, Andreas Rheinhardt wrote:
> On Thu, Oct 24, 2019 at 3:36 AM <lance.lmwang@gmail.com> wrote:
> 
> > From: Limin Wang <lance.lmwang@gmail.com>
> >
> > Before header_str is initialized, the code is possible to goto end and
> > free the
> > header_str and cause invalid access.
> >
> > Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
> > ---
> >  libavformat/mpeg.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
> > index c33401f1a0..ebc064931a 100644
> > --- a/libavformat/mpeg.c
> > +++ b/libavformat/mpeg.c
> > @@ -720,7 +720,7 @@ static int vobsub_read_header(AVFormatContext *s)
> >      int i, ret = 0, header_parsed = 0, langidx = 0;
> >      MpegDemuxContext *vobsub = s->priv_data;
> >      size_t fname_len;
> > -    char *header_str;
> > +    char *header_str = NULL;
> >      AVBPrint header;
> >      int64_t delay = 0;
> >      AVStream *st = NULL;
> > --
> > 2.21.0
> >
> > Posted a patch for this two days ago:
> https://ffmpeg.org/pipermail/ffmpeg-devel/2019-October/251957.html

sorry, haven't notice it, please ignore this.

> 
> - Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Patch hide | download patch | download mbox

diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
index c33401f1a0..ebc064931a 100644
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -720,7 +720,7 @@  static int vobsub_read_header(AVFormatContext *s)
     int i, ret = 0, header_parsed = 0, langidx = 0;
     MpegDemuxContext *vobsub = s->priv_data;
     size_t fname_len;
-    char *header_str;
+    char *header_str = NULL;
     AVBPrint header;
     int64_t delay = 0;
     AVStream *st = NULL;