[FFmpeg-devel] [PATCH 1/2] avformat/utils: free existing extradata before trying to allocate a new one

Wed Mar 7 04:40:17 EET 2018

On Tue, Mar 06, 2018 at 11:27:54PM -0300, James Almer wrote:
> On 3/6/2018 11:03 PM, James Almer wrote:
> > On 3/6/2018 10:47 PM, Michael Niedermayer wrote:
> >> On Tue, Mar 06, 2018 at 01:42:36AM -0300, James Almer wrote:
> >>> This prevents leaks in the rare cases the function is called when extradata
> >>> already exists.
> >>>
> >>> Signed-off-by: James Almer <jamrial at gmail.com>
> >>> ---
> >>>  libavformat/utils.c | 1 +
> >>>  1 file changed, 1 insertion(+)
> >>>
> >>> diff --git a/libavformat/utils.c b/libavformat/utils.c
> >>> index 72531d4185..31340a484b 100644
> >>> --- a/libavformat/utils.c
> >>> +++ b/libavformat/utils.c
> >>> @@ -3245,6 +3245,7 @@ int ff_alloc_extradata(AVCodecParameters *par, int size)
> >>>  {
> >>>      int ret;
> >>>  
> >>> +    av_freep(&par->extradata);
> >>>      if (size < 0 || size >= INT32_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
> >>>          par->extradata = NULL;
> >>>          par->extradata_size = 0;
> >>
> >> This causes memory corruption
> >> ...
> >> [mpegts @ 0x7f8c74000a80] PES packet size mismatch
> >> *** Error in `./ffplay': double free or corruption (fasttop): 0x00007f8c7402d9c0 ***
> >> Aborted (core dumped)
> > 
> > Is something freeing extradata and leaving a dangling pointer before
> > eventually calling ff_alloc_extradata()?
> > At least the two calls in mpegts.c don't seem to do that.
> > 
> >>
> >> I think this should not have been applied so quickly, i tested it as soon as i
> >> had time and saw it but it was applied already
> > 
> > Fate passed when i tested it, and i got a positive review from the
> > author of the function in question, that's why i pushed it. Sorry.
> > 
> >>
> >> If it helps i can debug the cases i see to find out which calls cause them but
> >> someone will still have to review all call sites probably for this change to
> >> be safe
> > 
> > Yes, help would be welcome. Crashes like this probably hint at frees
> > leaving dangling pointers across the codebase.
> 
> Does the attached patch fix this crash?

yes, thanks!

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180307/93ed253b/attachment.sig>