[XviD-devel] malloc(0) and potential underflow error?

Michael Militzer michael at xvid.org
Wed Jul 1 10:54:39 CEST 2009 

Hi,

I think that a legal stats file must start with a XVID_TYPE_IVOP frame
and hence will have at least one scene. So num_scenes should always be
greater than zero and the problem you pointed out should not occur.

Theoretically, it might be possible to trigger the malloc(0) problem in
case you open a specially crafted stats file that has no XVID_TYPE_IVOP
frames. Such a stats file is not valid however and is not generated upon
regular use of xvid.

I think the problem with invalid stats files could be solved when returning
an error in function statsfile_count_frames() in case no keyframes are
found in the stats file.

Regards,
Michael


Quoting Sriram Sankaranarayanan <srirams at gmail.com>:

> Dear Developers,
>
> I am a program verification researcher at NEC Labs. I am trying to use our
> tool F-Soft to find bugs
> in open source projects (xvidcore being one of them).
>
> In the process of examining our tool reports, I came across a potential
> malloc(0) and an underflow related to it. I am not familiar
> with the details of your code (even though I am working to familiarize
> myself). I attach some details. Please email me
> if you have questions.
>
> Project: xvidcore version 1.2.1
>             Ditto for xvidcore version 1.2.2 (latest version).
>              http://downloads.xvid.org/downloads/xvidcore-1.2.2.tar.gz
>
> File: xvidcore/src/plugins/plugin2_pass2.c
>
> Function: scale_curve_for_vbv_compliancy (plugin2_pass2.c: line 1520).
>             The tool claims that
>                  1. Value of  num_scenes at  lines 1565-1569 can be zero
> (malloc(0) is likely)
>                  2.  potential underflow at line 1591
> (scenelength[num_scenes -1] is the expression accessed, num_scenes=0).
>
> A small pedantic note about malloc(0) :-)
>         http://blogs.ethz.ch/syslab/2007/04/02/malloc0-and-freenull/
>
> Our own examination suggests that this is likely if  the condition
>                   if ((rc->stats[i].type == XVID_TYPE_IVOP) &&
> (i-last_scene>min_scenelength)) {
> at line 1559 is not enabled.
>
> If at all possible, feedback on the possibility of this bug will be
> appreciated.
>
> Thanks,
> Sriram Sankaranarayanan
> _______________________________________________
> Xvid-devel mailing list
> Xvid-devel at xvid.org
> http://list.xvid.org/mailman/listinfo/xvid-devel
>
>

More information about the Xvid-devel mailing list