Traneptora/FFmpeg
1
Fork 0
forked from FFmpeg/FFmpeg
Code Pull requests Activity

avformat/udp: Fix temporary buffer race

Browse source 
Fixes: CID1551679 Data race condition
Fixes: CID1551687 Data race condition

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2024-06-09 00:32:47 +02:00
parent f022afea77
commit 7b2f67ea77
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 8 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
libavformat/udp.c
View file

@ -107,7 +107,8 @@ typedef struct UDPContext {
pthread_cond_t cond; pthread_cond_t cond;
int thread_started; int thread_started;
#endif #endif
uint8_t tmp[UDP_MAX_PKT_SIZE+4]; uint8_t tmp_rx[UDP_MAX_PKT_SIZE+4];
uint8_t tmp_tx[UDP_MAX_PKT_SIZE+4];
int remaining_in_dg; int remaining_in_dg;
char *localaddr; char *localaddr;
int timeout; int timeout;
@ -504,7 +505,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
see "General Information" / "Thread Cancelation Overview" see "General Information" / "Thread Cancelation Overview"
in Single Unix. */ in Single Unix. */
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old_cancelstate); pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old_cancelstate);
len = recvfrom(s->udp_fd, s->tmp+4, sizeof(s->tmp)-4, 0, (struct sockaddr *)&addr, &addr_len); len = recvfrom(s->udp_fd, s->tmp_rx+4, sizeof(s->tmp_rx)-4, 0, (struct sockaddr *)&addr, &addr_len);
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &old_cancelstate); pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &old_cancelstate);
pthread_mutex_lock(&s->mutex); pthread_mutex_lock(&s->mutex);
if (len < 0) { if (len < 0) {
@ -516,7 +517,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
} }
if (ff_ip_check_source_lists(&addr, &s->filters)) if (ff_ip_check_source_lists(&addr, &s->filters))
continue; continue;
AV_WL32(s->tmp, len); AV_WL32(s->tmp_rx, len);
if (av_fifo_can_write(s->fifo) < len + 4) { if (av_fifo_can_write(s->fifo) < len + 4) {
/* No Space left */ /* No Space left */
@ -532,7 +533,7 @@ static void *circular_buffer_task_rx( void *_URLContext)
goto end; goto end;
} }
} }
av_fifo_write(s->fifo, s->tmp, len + 4); av_fifo_write(s->fifo, s->tmp_rx, len + 4);
pthread_cond_signal(&s->cond); pthread_cond_signal(&s->cond);
} }
@ -581,9 +582,9 @@ static void *circular_buffer_task_tx( void *_URLContext)
len = AV_RL32(tmp); len = AV_RL32(tmp);
av_assert0(len >= 0); av_assert0(len >= 0);
av_assert0(len <= sizeof(s->tmp)); av_assert0(len <= sizeof(s->tmp_tx));
av_fifo_read(s->fifo, s->tmp, len); av_fifo_read(s->fifo, s->tmp_tx, len);
pthread_mutex_unlock(&s->mutex); pthread_mutex_unlock(&s->mutex);
@ -607,7 +608,7 @@ static void *circular_buffer_task_tx( void *_URLContext)
target_timestamp = start_timestamp + sent_bits * 1000000 / s->bitrate; target_timestamp = start_timestamp + sent_bits * 1000000 / s->bitrate;
} }
p = s->tmp; p = s->tmp_tx;
while (len) { while (len) {
int ret; int ret;
av_assert0(len > 0); av_assert0(len > 0);