[FFmpeg-trac] #3171(avformat:new): avio_close() misuses AVIOContext.opaque field
FFmpeg
trac at avcodec.org
Mon Nov 25 12:30:14 CET 2013
#3171: avio_close() misuses AVIOContext.opaque field
----------------------------------+--------------------------------------
Reporter: achurch | Type: defect
Status: new | Priority: normal
Component: avformat | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+--------------------------------------
(Note: the following is true as of git e78d038187)
In avio.h, the AVIOContext.opaque field is documented as "A private
pointer, passed to the read/write/seek/... functions", and
avio_alloc_context() takes an "opaque" parameter which is similarly
documented "An opaque pointer to user-specific data" and stored directly
into the created structure's opaque field. However, avio_close() treats
that field as a URLContext pointer:
int avio_close(AVIOContext *s)
{
URLContext *h;
// ...
h = s->opaque;
// ...
return ffurl_close(h);
}
If a user-created AVIOContext makes use of the opaque field as documented,
avio_close() may crash, inappropriately free memory, etc. when it
interprets the user's opaque data as a URLContext structure.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/3171>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list