[FFmpeg-devel] [PATCH 1/9] avformat/rtpenc_vc2hq: Check sizes

[FFmpeg-devel] [PATCH 1/9] avformat/rtpenc_vc2hq: Check sizes

[Michael Niedermayer]

Fixes: CID1452585 Untrusted loop bound

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtpenc_vc2hq.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c
index 085204fa646..cf548191d2e 100644
--- a/libavformat/rtpenc_vc2hq.c
+++ b/libavformat/rtpenc_vc2hq.c
@@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s
     ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m);
 }
 
-static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced)
+static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced)
 {
     RTPMuxContext *rtp_ctx = ctx->priv_data;
     GetBitContext gc;
@@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int
     uint16_t frag_len;
     char *info_hdr = &rtp_ctx->buf[4];
 
+    if (size < DIRAC_PIC_NR_SIZE)
+        return AVERROR(EINVAL);
+
     pic_nr = AV_RB32(&buf[0]);
     buf += DIRAC_PIC_NR_SIZE;
     size -= DIRAC_PIC_NR_SIZE;
@@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int
         send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1);
         buf += frag_len;
     }
+    return 0;
 }
 
 void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced)
@@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame
         parse_code = unit[4];
         unit_size = AV_RB32(&unit[5]);
 
+        if (unit_size > end - unit)
+            break;
+
         switch (parse_code) {
         /* sequence header */
         /* end of sequence */
         case DIRAC_PCODE_SEQ_HEADER:
         case DIRAC_PCODE_END_SEQ:
-            send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0);
+            if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE)
+                send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0);
             break;
         /* HQ picture */
         case DIRAC_PCODE_PICTURE_HQ:
-            send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced);
+            if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE)
+                send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced);
             break;
         /* parse codes without specification */
         case DIRAC_PCODE_AUX:
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/9] avformat/rtsp: use < 0 for error check

[Michael Niedermayer]

Found while reviewing CID1473532 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index db78735c7ae..28c858077ad 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -1429,7 +1429,7 @@ retry:
     cur_auth_type = rt->auth_state.auth_type;
     if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header,
                                                 send_content,
-                                                send_content_length)))
+                                                send_content_length)) < 0)
         return ret;
 
     if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0)
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/9] avformat/rtsp: initialize reply1

[Michael Niedermayer]

It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there
are code paths like "continue" which look like they could skip it but even if not
writing this so a complex loop after several layers of calls initialized a local
variable through a pointer is just bad design.
This patch simply initialized the variable.

Fixes: CID1473532 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtsp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 28c858077ad..c6fca89d83f 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -1462,6 +1462,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port,
     char cmd[MAX_URL_SIZE];
     const char *trans_pref;
 
+    memset(&reply1, 0, sizeof(reply1));
+
     if (rt->transport == RTSP_TRANSPORT_RDT)
         trans_pref = "x-pn-tng";
     else if (rt->transport == RTSP_TRANSPORT_RAW)
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/9] avformat/rtsp: Check that lower transport is handled in one of the if()

[Michael Niedermayer]

Fixes: CID1473554 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtsp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index c6fca89d83f..19b93df8394 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -1578,7 +1578,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port,
         else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) {
             snprintf(transport, sizeof(transport) - 1,
                      "%s/UDP;multicast", trans_pref);
+        } else {
+            err = AVERROR(EINVAL);
+            goto fail; // transport would be uninitialized
         }
+
         if (s->oformat) {
             av_strlcat(transport, ";mode=record", sizeof(transport));
         } else if (rt->server_type == RTSP_SERVER_REAL ||
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/9] avformat/subfile: Merge if into switch()

[Michael Niedermayer]

Found while reviewing CID1452449 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/subfile.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/subfile.c b/libavformat/subfile.c
index 633a9e3c62c..eedac1524e1 100644
--- a/libavformat/subfile.c
+++ b/libavformat/subfile.c
@@ -123,9 +123,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence)
             return end;
     }
 
-    if (whence == AVSEEK_SIZE)
-        return end - c->start;
     switch (whence) {
+    case AVSEEK_SIZE:
+        return end - c->start;
     case SEEK_SET:
         new_pos = c->start + pos;
         break;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/9] avformat/subfile: Assert that whence is a known case

[Michael Niedermayer]

This may help CID1452449 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/subfile.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/subfile.c b/libavformat/subfile.c
index eedac1524e1..be48ef72ef2 100644
--- a/libavformat/subfile.c
+++ b/libavformat/subfile.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/opt.h"
 #include "url.h"
@@ -135,6 +136,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence)
     case SEEK_END:
         new_pos = end + pos;
         break;
+    default:
+        av_assert0(0);
     }
     if (new_pos < c->start)
         return AVERROR(EINVAL);
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/9] avformat/tls_schannel: Initialize ret

[Michael Niedermayer]

Fixes: CID1591881 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/tls_schannel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c
index 214a47a218b..55a6766fb2e 100644
--- a/libavformat/tls_schannel.c
+++ b/libavformat/tls_schannel.c
@@ -389,7 +389,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len)
     SECURITY_STATUS sspi_ret = SEC_E_OK;
     SecBuffer inbuf[4];
     SecBufferDesc inbuf_desc;
-    int size, ret;
+    int size, ret = 0;
     int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE;
 
     /* If we have some left-over data from previous network activity,
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 8/9] avformat/udp: Fix temporary buffer race

[Michael Niedermayer]

Fixes: CID1551679 Data race condition
Fixes: CID1551687 Data race condition

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/udp.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/libavformat/udp.c b/libavformat/udp.c
index c1ebdd12220..fd4847eda71 100644
--- a/libavformat/udp.c
+++ b/libavformat/udp.c
@@ -107,7 +107,8 @@ typedef struct UDPContext {
     pthread_cond_t cond;
     int thread_started;
 #endif
-    uint8_t tmp[UDP_MAX_PKT_SIZE+4];
+    uint8_t tmp_rx[UDP_MAX_PKT_SIZE+4];
+    uint8_t tmp_tx[UDP_MAX_PKT_SIZE+4];
     int remaining_in_dg;
     char *localaddr;
     int timeout;
@@ -504,7 +505,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
            see "General Information" / "Thread Cancelation Overview"
            in Single Unix. */
         pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old_cancelstate);
-        len = recvfrom(s->udp_fd, s->tmp+4, sizeof(s->tmp)-4, 0, (struct sockaddr *)&addr, &addr_len);
+        len = recvfrom(s->udp_fd, s->tmp_rx+4, sizeof(s->tmp_rx)-4, 0, (struct sockaddr *)&addr, &addr_len);
         pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &old_cancelstate);
         pthread_mutex_lock(&s->mutex);
         if (len < 0) {
@@ -516,7 +517,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
         }
         if (ff_ip_check_source_lists(&addr, &s->filters))
             continue;
-        AV_WL32(s->tmp, len);
+        AV_WL32(s->tmp_rx, len);
 
         if (av_fifo_can_write(s->fifo) < len + 4) {
             /* No Space left */
@@ -532,7 +533,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
                 goto end;
             }
         }
-        av_fifo_write(s->fifo, s->tmp, len + 4);
+        av_fifo_write(s->fifo, s->tmp_rx, len + 4);
         pthread_cond_signal(&s->cond);
     }
 
@@ -581,9 +582,9 @@ static void *circular_buffer_task_tx( void *_URLContext)
         len = AV_RL32(tmp);
 
         av_assert0(len >= 0);
-        av_assert0(len <= sizeof(s->tmp));
+        av_assert0(len <= sizeof(s->tmp_tx));
 
-        av_fifo_read(s->fifo, s->tmp, len);
+        av_fifo_read(s->fifo, s->tmp_tx, len);
 
         pthread_mutex_unlock(&s->mutex);
 
@@ -607,7 +608,7 @@ static void *circular_buffer_task_tx( void *_URLContext)
             target_timestamp = start_timestamp + sent_bits * 1000000 / s->bitrate;
         }
 
-        p = s->tmp;
+        p = s->tmp_tx;
         while (len) {
             int ret;
             av_assert0(len > 0);
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 9/9] avformat/usmdec: Initialize value

[Michael Niedermayer]

Fixes: CID1551685 Uninitialized scalar variable

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/usmdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/usmdec.c b/libavformat/usmdec.c
index 9a21cc30413..6de2a73edf0 100644
--- a/libavformat/usmdec.c
+++ b/libavformat/usmdec.c
@@ -120,7 +120,7 @@ static int parse_utf(AVFormatContext *s, AVIOContext *pb,
     for (int i = 0; i < nb_items; i++) {
         GetByteContext *xgb;
         uint8_t key[256];
-        int64_t value;
+        int64_t value = -1;
         int n = 0;
 
         type = bytestream2_get_byte(&gb);
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/9] avformat/rtpenc_vc2hq: Check sizes

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 664 bytes --]

On Sun, Jun 09, 2024 at 01:10:38AM +0200, Michael Niedermayer wrote:
> Fixes: CID1452585 Untrusted loop bound
> 
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/rtpenc_vc2hq.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)

will apply patchset

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avformat/udp: Fix temporary buffer race

[Marton Balint]

On Sun, 9 Jun 2024, Michael Niedermayer wrote:

> Fixes: CID1551679 Data race condition
> Fixes: CID1551687 Data race condition

How is this a data race? Concurrent reading and writing is not supported 
for UDP as far as I know.

Thanks,
Marton

>
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/udp.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/libavformat/udp.c b/libavformat/udp.c
> index c1ebdd12220..fd4847eda71 100644
> --- a/libavformat/udp.c
> +++ b/libavformat/udp.c
> @@ -107,7 +107,8 @@ typedef struct UDPContext {
>     pthread_cond_t cond;
>     int thread_started;
> #endif
> -    uint8_t tmp[UDP_MAX_PKT_SIZE+4];
> +    uint8_t tmp_rx[UDP_MAX_PKT_SIZE+4];
> +    uint8_t tmp_tx[UDP_MAX_PKT_SIZE+4];
>     int remaining_in_dg;
>     char *localaddr;
>     int timeout;
> @@ -504,7 +505,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
>            see "General Information" / "Thread Cancelation Overview"
>            in Single Unix. */
>         pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old_cancelstate);
> -        len = recvfrom(s->udp_fd, s->tmp+4, sizeof(s->tmp)-4, 0, (struct sockaddr *)&addr, &addr_len);
> +        len = recvfrom(s->udp_fd, s->tmp_rx+4, sizeof(s->tmp_rx)-4, 0, (struct sockaddr *)&addr, &addr_len);
>         pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &old_cancelstate);
>         pthread_mutex_lock(&s->mutex);
>         if (len < 0) {
> @@ -516,7 +517,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
>         }
>         if (ff_ip_check_source_lists(&addr, &s->filters))
>             continue;
> -        AV_WL32(s->tmp, len);
> +        AV_WL32(s->tmp_rx, len);
>
>         if (av_fifo_can_write(s->fifo) < len + 4) {
>             /* No Space left */
> @@ -532,7 +533,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
>                 goto end;
>             }
>         }
> -        av_fifo_write(s->fifo, s->tmp, len + 4);
> +        av_fifo_write(s->fifo, s->tmp_rx, len + 4);
>         pthread_cond_signal(&s->cond);
>     }
>
> @@ -581,9 +582,9 @@ static void *circular_buffer_task_tx( void *_URLContext)
>         len = AV_RL32(tmp);
>
>         av_assert0(len >= 0);
> -        av_assert0(len <= sizeof(s->tmp));
> +        av_assert0(len <= sizeof(s->tmp_tx));
>
> -        av_fifo_read(s->fifo, s->tmp, len);
> +        av_fifo_read(s->fifo, s->tmp_tx, len);
>
>         pthread_mutex_unlock(&s->mutex);
>
> @@ -607,7 +608,7 @@ static void *circular_buffer_task_tx( void *_URLContext)
>             target_timestamp = start_timestamp + sent_bits * 1000000 / s->bitrate;
>         }
>
> -        p = s->tmp;
> +        p = s->tmp_tx;
>         while (len) {
>             int ret;
>             av_assert0(len > 0);
> -- 
> 2.45.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avformat/udp: Fix temporary buffer race

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 787 bytes --]

On Mon, Jul 08, 2024 at 07:46:19PM +0200, Marton Balint wrote:
> 
> 
> On Sun, 9 Jun 2024, Michael Niedermayer wrote:
> 
> > Fixes: CID1551679 Data race condition
> > Fixes: CID1551687 Data race condition
> 
> How is this a data race? Concurrent reading and writing is not supported for
> UDP as far as I know.

maybe coverity tricked me together with memory of a long standing
unreproduceable data corruption bug in udp ... thinking there where
2 threads using the same temporary buffer (which would really fit
the bug i remembered)

feel free to revert!

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Elect your leaders based on what they did after the last election, not
based on what they say before an election.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avformat/udp: Fix temporary buffer race

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 903 bytes --]

On Tue, Jul 09, 2024 at 03:12:52PM +0200, Michael Niedermayer wrote:
> On Mon, Jul 08, 2024 at 07:46:19PM +0200, Marton Balint wrote:
> > 
> > 
> > On Sun, 9 Jun 2024, Michael Niedermayer wrote:
> > 
> > > Fixes: CID1551679 Data race condition
> > > Fixes: CID1551687 Data race condition

marked the 2 as false positives


> > 
> > How is this a data race? Concurrent reading and writing is not supported for
> > UDP as far as I know.
> 
> maybe coverity tricked me together with memory of a long standing
> unreproduceable data corruption bug in udp ... thinking there where
> 2 threads using the same temporary buffer (which would really fit
> the bug i remembered)
> 
> feel free to revert!

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I am the wisest man alive, for I know one thing, and that is that I know
nothing. -- Socrates

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avformat/udp: Fix temporary buffer race

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 891 bytes --]

On Tue, Jul 09, 2024 at 03:12:52PM +0200, Michael Niedermayer wrote:
> On Mon, Jul 08, 2024 at 07:46:19PM +0200, Marton Balint wrote:
> > 
> > 
> > On Sun, 9 Jun 2024, Michael Niedermayer wrote:
> > 
> > > Fixes: CID1551679 Data race condition
> > > Fixes: CID1551687 Data race condition
> > 
> > How is this a data race? Concurrent reading and writing is not supported for
> > UDP as far as I know.
> 
> maybe coverity tricked me together with memory of a long standing
> unreproduceable data corruption bug in udp ... thinking there where
> 2 threads using the same temporary buffer (which would really fit
> the bug i remembered)
> 
> feel free to revert!

will revert

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".