From ce9f91aa8d131126e781b55e78ca094b602e5569 Mon Sep 17 00:00:00 2001 From: Donat Zenichev Date: Mon, 13 Jan 2025 11:12:06 +0100 Subject: [PATCH] MT#61856 packet_sequencer_init: fix Coverity Scan defect `packet_sequencer_init()` initializes `packet_sequencer_t` sequence to -1 always. So make sure to set `uint16_t` later not to an underflowing value, which can potentially set the `uint16_t` object type to some insanely big value. Fixes: /daemon/codec.c: 1893 in __handler_func_sequencer() 1887 if (!seq) { 1888 seq = g_slice_alloc0(sizeof(*seq)); 1889 packet_sequencer_init(seq, (GDestroyNotify) __transcode_packet_free); 1890 g_hash_table_insert(ssrc_in_p->sequencers, mp->media_out, seq); 1891 } 1892 >>> CID 1616503: Integer handling issues (INTEGER_OVERFLOW) >>> Expression "seq_ori", where "seq->seq" is known to be equal to -1, overflows the type of "seq_ori", which is type "uint16_t". 1893 uint16_t seq_ori = seq->seq; 1894 int seq_ret = packet_sequencer_insert(seq, &packet->p); 1895 if (seq_ret < 0) { 1896 // dupe 1897 int func_ret = 0; 1898 if (packet->dup_func) ** CID 1616502: (LOCK_EVASION) /daemon/media_player.c: 487 in media_player_read_decoded_packet() /daemon/media_player.c: 479 in media_player_read_decoded_packet() Change-Id: Ifbd68021f17866aa9b7482b1bd42e2acf1c25dfa --- daemon/codec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/codec.c b/daemon/codec.c index 3eb48b108..14cabe474 100644 --- a/daemon/codec.c +++ b/daemon/codec.c @@ -1890,7 +1890,7 @@ static int __handler_func_sequencer(struct media_packet *mp, struct transcode_pa g_hash_table_insert(ssrc_in_p->sequencers, mp->media_out, seq); } - uint16_t seq_ori = seq->seq; + uint16_t seq_ori = (seq->seq < 0) ? 0 : seq->seq; int seq_ret = packet_sequencer_insert(seq, &packet->p); if (seq_ret < 0) { // dupe