rtmp: Don't try to do av_malloc(0)

diff mbox

Message ID	1306345057-18757-1-git-send-email-martin@martin.st
State	Committed
Commit	271c869cc3285dac2b6f2663a87c70bf3ba2b04f
Headers	show Return-Path: <libav-devel-bounces@libav.org> From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st> To: libav-devel@libav.org Date: Wed, 25 May 2011 20:37:37 +0300 Message-Id: <1306345057-18757-1-git-send-email-martin@martin.st> In-Reply-To: <BANLkTin6iPnuaTojz5HMPm4WKFqYJ=oK0g@mail.gmail.com> References: <BANLkTin6iPnuaTojz5HMPm4WKFqYJ=oK0g@mail.gmail.com> Subject: [libav-devel] [PATCH] rtmp: Don't try to do av_malloc(0) Precedence: list Reply-To: libav development <libav-devel@libav.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: libav-devel-bounces@libav.org Errors-To: libav-devel-bounces@libav.org

Message ID

1306345057-18757-1-git-send-email-martin@martin.st

State

Committed

Commit

271c869cc3285dac2b6f2663a87c70bf3ba2b04f

Headers

show

Return-Path: <libav-devel-bounces@libav.org>
X-Original-To: patchwork@jannau.net
Delivered-To: patchwork@jannau.net
Received: from batanen.kinali.ch (batanen.kinali.ch [78.46.43.144])
	by chybek.jannau.net (Postfix) with ESMTP id 2A22853E05A9;
	Wed, 25 May 2011 19:37:41 +0200 (CEST)
Received: from batanen.kinali.ch (localhost [127.0.0.1])
	by batanen.kinali.ch (Postfix) with ESMTP id 16C3510091;
	Wed, 25 May 2011 19:37:41 +0200 (CEST)
X-Original-To: libav-devel@libav.org
Delivered-To: libav-devel@libav.org
Received: from localhost (localhost [127.0.0.1])
	by batanen.kinali.ch (Postfix) with ESMTP id D858210091
	for <libav-devel@libav.org>; Wed, 25 May 2011 19:37:39 +0200 (CEST)
Received: from batanen.kinali.ch ([127.0.0.1])
	by localhost (batanen.kinali.ch [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 5jhXiwZns6gh for <libav-devel@libav.org>;
	Wed, 25 May 2011 19:37:39 +0200 (CEST)
Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com
	[209.85.215.54])
	by batanen.kinali.ch (Postfix) with ESMTP id B8CF010090
	for <libav-devel@libav.org>; Wed, 25 May 2011 19:37:39 +0200 (CEST)
Received: by ewy1 with SMTP id 1so5317205ewy.27
	for <libav-devel@libav.org>; Wed, 25 May 2011 10:37:39 -0700 (PDT)
Received: by 10.213.99.206 with SMTP id v14mr2069862ebn.3.1306345059405;
	Wed, 25 May 2011 10:37:39 -0700 (PDT)
Received: from localhost (dsl-tkubrasgw1-fe10fa00-54.dhcp.inet.fi
	[84.250.16.54]) by mx.google.com with ESMTPS id
	y14sm3903152eeh.17.2011.05.25.10.37.38
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 25 May 2011 10:37:39 -0700 (PDT)
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
To: libav-devel@libav.org
Date: Wed, 25 May 2011 20:37:37 +0300
Message-Id: <1306345057-18757-1-git-send-email-martin@martin.st>
X-Mailer: git-send-email 1.7.3.1
In-Reply-To: <BANLkTin6iPnuaTojz5HMPm4WKFqYJ=oK0g@mail.gmail.com>
References: <BANLkTin6iPnuaTojz5HMPm4WKFqYJ=oK0g@mail.gmail.com>
Subject: [libav-devel] [PATCH] rtmp: Don't try to do av_malloc(0)
X-BeenThere: libav-devel@libav.org
X-Mailman-Version: 2.1.11
Precedence: list
Reply-To: libav development <libav-devel@libav.org>
List-Id: libav development <libav-devel.libav.org>
List-Unsubscribe: <https://lists.libav.org/mailman/options/libav-devel>,
	<mailto:libav-devel-request@libav.org?subject=unsubscribe>
List-Archive: <http://lists.libav.org/pipermail/libav-devel>
List-Post: <mailto:libav-devel@libav.org>
List-Help: <mailto:libav-devel-request@libav.org?subject=help>
List-Subscribe: <https://lists.libav.org/mailman/listinfo/libav-devel>,
	<mailto:libav-devel-request@libav.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: libav-devel-bounces@libav.org
Errors-To: libav-devel-bounces@libav.org

Commit Message

Martin Storsjö May 25, 2011, 5:37 p.m.

Some received packets can have size 0. The return value from
av_malloc(0) may be NULL, which is ok if the size was 0. On
OS X, however, the returned pointer is non-null but leads to
crashes when trying to free it.
---
 libavformat/rtmppkt.c   |    2 ++
 libavformat/rtmpproto.c |    2 +-
 2 files changed, 3 insertions(+), 1 deletions(-)

Comments

Ronald Bultje May 25, 2011, 5:39 p.m. | #1

Hi,

On Wed, May 25, 2011 at 1:37 PM, Martin Storsjö <martin@martin.st> wrote:
> @@ -233,9 +233,11 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
>  int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
>                           int timestamp, int size)
>  {
> +    if (size) {
>     pkt->data = av_malloc(size);
>     if (!pkt->data)
>         return AVERROR(ENOMEM);
> +    }
>     pkt->data_size  = size;
>     pkt->channel_id = channel_id;
>     pkt->type       = type;

OK.

> @@ -683,7 +683,7 @@ static int get_packet(URLContext *s, int for_header)
>         return AVERROR_EOF;
>
>     for (;;) {
> -        RTMPPacket rpkt;
> +        RTMPPacket rpkt = { 0 };
>         if ((ret = ff_rtmp_packet_read(rt->stream, &rpkt,
>                                        rt->chunk_size, rt->prev_pkt[0])) <= 0) {
>             if (ret == 0) {

Unrelated? If it fixes something it's OK.

Ronald

Martin Storsjö May 25, 2011, 6:53 p.m. | #2

On Wed, 25 May 2011, Ronald S. Bultje wrote:

> Hi,
> 
> On Wed, May 25, 2011 at 1:37 PM, Martin Storsjö <martin@martin.st> wrote:
> > @@ -233,9 +233,11 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
> >  int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
> >                           int timestamp, int size)
> >  {
> > +    if (size) {
> >     pkt->data = av_malloc(size);
> >     if (!pkt->data)
> >         return AVERROR(ENOMEM);
> > +    }
> >     pkt->data_size  = size;
> >     pkt->channel_id = channel_id;
> >     pkt->type       = type;
> 
> OK.
> 
> > @@ -683,7 +683,7 @@ static int get_packet(URLContext *s, int for_header)
> >         return AVERROR_EOF;
> >
> >     for (;;) {
> > -        RTMPPacket rpkt;
> > +        RTMPPacket rpkt = { 0 };
> >         if ((ret = ff_rtmp_packet_read(rt->stream, &rpkt,
> >                                        rt->chunk_size, rt->prev_pkt[0])) <= 0) {
> >             if (ret == 0) {
> 
> Unrelated? If it fixes something it's OK.

No, without this, pkt->data will be left uninitialized for these cases 
where size == 0.

I'll push in a moment then - I assume I don't need to post the reindent 
patch before pushing it.

// Mart

Ronald Bultje May 25, 2011, 6:54 p.m. | #3

Hi Martin,

On Wed, May 25, 2011 at 2:53 PM, Martin Storsjö <martin@martin.st> wrote:
> On Wed, 25 May 2011, Ronald S. Bultje wrote:
>> On Wed, May 25, 2011 at 1:37 PM, Martin Storsjö <martin@martin.st> wrote:
>> > @@ -233,9 +233,11 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
>> >  int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
>> >                           int timestamp, int size)
>> >  {
>> > +    if (size) {
>> >     pkt->data = av_malloc(size);
>> >     if (!pkt->data)
>> >         return AVERROR(ENOMEM);
>> > +    }
>> >     pkt->data_size  = size;
>> >     pkt->channel_id = channel_id;
>> >     pkt->type       = type;
>>
>> OK.
>>
>> > @@ -683,7 +683,7 @@ static int get_packet(URLContext *s, int for_header)
>> >         return AVERROR_EOF;
>> >
>> >     for (;;) {
>> > -        RTMPPacket rpkt;
>> > +        RTMPPacket rpkt = { 0 };
>> >         if ((ret = ff_rtmp_packet_read(rt->stream, &rpkt,
>> >                                        rt->chunk_size, rt->prev_pkt[0])) <= 0) {
>> >             if (ret == 0) {
>>
>> Unrelated? If it fixes something it's OK.
>
> No, without this, pkt->data will be left uninitialized for these cases
> where size == 0.
>
> I'll push in a moment then - I assume I don't need to post the reindent
> patch before pushing it.

Nope, that's fine.

Ronald

Patch

diff mbox

diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index 63b0628..93790eb 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -233,9 +233,11 @@  int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt,
 int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type,
                           int timestamp, int size)
 {
+    if (size) {
     pkt->data = av_malloc(size);
     if (!pkt->data)
         return AVERROR(ENOMEM);
+    }
     pkt->data_size  = size;
     pkt->channel_id = channel_id;
     pkt->type       = type;
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 70e4b14..f499bd3 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -683,7 +683,7 @@  static int get_packet(URLContext *s, int for_header)
         return AVERROR_EOF;
 
     for (;;) {
-        RTMPPacket rpkt;
+        RTMPPacket rpkt = { 0 };
         if ((ret = ff_rtmp_packet_read(rt->stream, &rpkt,
                                        rt->chunk_size, rt->prev_pkt[0])) <= 0) {
             if (ret == 0) {