aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2023-07-23 20:03:01 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2023-07-25 23:17:29 +0200
commit509ce40f188734ec74078ebdd8d71f80116d9eaf (patch)
tree0e3191d09405664e717efba7aac79e6dae0bd07d
parentc5c719f030a209cc404754f928972a6c1a24dfef (diff)
downloadffmpeg-509ce40f188734ec74078ebdd8d71f80116d9eaf.tar.gz
avformat/imf_cpl: xmlNodeListGetString() can return NULL
Fixes: NULL pointer dereference Fixes: 60166/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5998301577871360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Pierre-Anthony Lemieux <pal@sandflow.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat
-rw-r--r--libavformat/imf_cpl.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c
index fe975c2f0c..69155d786d 100644
--- a/libavformat/imf_cpl.c
+++ b/libavformat/imf_cpl.c
@@ -75,6 +75,8 @@ int ff_imf_xml_read_uuid(xmlNodePtr element, AVUUID uuid)
int ret = 0;
xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
+ if (!element_text)
+ return AVERROR_INVALIDDATA;
ret = av_uuid_urn_parse(element_text, uuid);
if (ret)
ret = AVERROR_INVALIDDATA;
@@ -88,7 +90,7 @@ int ff_imf_xml_read_rational(xmlNodePtr element, AVRational *rational)
int ret = 0;
xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
- if (sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2)
+ if (element_text == NULL || sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2)
ret = AVERROR_INVALIDDATA;
xmlFree(element_text);
@@ -100,7 +102,7 @@ int ff_imf_xml_read_uint32(xmlNodePtr element, uint32_t *number)
int ret = 0;
xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
- if (sscanf(element_text, "%" PRIu32, number) != 1)
+ if (element_text == NULL || sscanf(element_text, "%" PRIu32, number) != 1)
ret = AVERROR_INVALIDDATA;
xmlFree(element_text);
@@ -245,6 +247,8 @@ static int fill_timecode(xmlNodePtr cpl_element, FFIMFCPL *cpl)
return AVERROR_INVALIDDATA;
tc_str = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
+ if (!tc_str)
+ return AVERROR_INVALIDDATA;
ret = parse_cpl_tc_type(tc_str, comps);
xmlFree(tc_str);
if (ret)
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-26 18:50:56 +0000