From patchwork Mon Apr 17 05:12:21 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Daniel Richard G." X-Patchwork-Id: 3439 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.3.129 with SMTP id 123csp1125110vsd; Sun, 16 Apr 2017 22:12:39 -0700 (PDT) X-Received: by 10.28.145.196 with SMTP id t187mr7769828wmd.108.1492405959396; Sun, 16 Apr 2017 22:12:39 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id k206si10009100wmf.44.2017.04.16.22.12.31; Sun, 16 Apr 2017 22:12:39 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@iskunk.org; dkim=neutral (body hash did not verify) header.i=@messagingengine.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D16F1680987; Mon, 17 Apr 2017 08:12:20 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A6111680731 for ; Mon, 17 Apr 2017 08:12:14 +0300 (EEST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 7C302208A0 for ; Mon, 17 Apr 2017 01:12:21 -0400 (EDT) Received: from web1 ([10.202.2.211]) by compute3.internal (MEProxy); Mon, 17 Apr 2017 01:12:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iskunk.org; h= content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=FtjKpdUjdJftG312TmuhLBpwqTiMZ/xPelpwyg81Wk0=; b=umRo7uhu bLbYk/9jZnrf/aineVwvujfoMRC6f8mC1QjXww0SOevLIZ8BjhGDw7V3uicoA5l/ BhzFtKfs+cebJ2Q/BhIP3At+WiYHSYOLpQlDl3xLvlkbr78lr0FPuqNn7fVbBOsb iXol0M05nb7clJv9CSnmjvSk1rw2TtDNFTcGeNOswfFFZKwHwRvMev1XtRbLrDC6 A5j85CqeeZQPAF4bhgtbEDZ6/vRIOOrWzordEIHW4pwGhvrjJJw2rrmANVhMp+ix Tpt2ttPreoWV+tHI4HzPwLi/8iLieBomEIGAQiDFkF1CKsojDbkHfY6YwgON8+6P fkztFUqx9yoK3Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=FtjKpdUjdJftG312TmuhLBpwqTiMZ /xPelpwyg81Wk0=; b=alx/C9Ks4Um2/BQiv/O50FJKLvl6qnPq/D6jlBlAdMfeW m/kqr7rCj4yTvwkUggU05/2CSx4UY4588ujXQ6pPR53417EIMMKtAaEzT4uVraZG CGdN9yoKEUT0oj2jRa4Sl0PN1Nd7Dhx3/t2UavP4w+fIZ8SjiT3O2BxMfZM/3ek0 ridlXU1NoHpnT/e72MzeI+0jTbPXkN6t3f8v6lcXBvUbUtjq86UorGilyP/wzaRt 7I+UYEJnaM7BEAk/xsW2Md1UQvU0y0nEzHrCVY/s9uczP43EhrNmdeN4t3NsQUeP zAkztROefpokybkcGFgaQHgnAI57z8IX76gHYCV2Q== X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 51049942A8; Mon, 17 Apr 2017 01:12:21 -0400 (EDT) Message-Id: <1492405941.4135730.946500744.144D6FFA@webmail.messagingengine.com> From: "Daniel Richard G." To: FFmpeg development discussions and patches MIME-Version: 1.0 X-Mailer: MessagingEngine.com Webmail Interface - html Date: Mon, 17 Apr 2017 01:12:21 -0400 Subject: [FFmpeg-devel] [PATCH] Check return value of read in ff_rtsp_read_reply() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" In the course of testing RTSP streaming of CCTV video via the FFmpeg API, I have found some Valgrind uninitialized-memory errors due to what appear to be short/failed reads in ffurl_read_complete(). The calling function ff_rtsp_read_reply() was not checking the return value, and so the library went on to parse garbage in an uninitialized heap-allocated buffer. The attached patch adds logic to check the return value and bail out on error. --Daniel From 544c2f4628d1c8923880219de190caa96d672100 Mon Sep 17 00:00:00 2001 From: Daniel Richard G Date: Sun, 16 Apr 2017 23:12:53 -0400 Subject: [PATCH] Check return value of read in ff_rtsp_read_reply() Signed-off-by: Daniel Richard G --- libavformat/rtsp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 261e970..da962fb 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1218,7 +1218,11 @@ start: content = av_malloc(content_length + 1); if (!content) return AVERROR(ENOMEM); - ffurl_read_complete(rt->rtsp_hd, content, content_length); + ret = ffurl_read_complete(rt->rtsp_hd, content, content_length); + if (ret != content_length) { + av_freep(&content); + return AVERROR_EOF; + } content[content_length] = '\0'; } if (content_ptr) -- 2.9.0