[FFmpeg-trac] #7193(avformat:new): Double free in libavformat/utils.c

FFmpeg trac at avcodec.org
Thu May 10 12:00:47 EEST 2018 

#7193: Double free in libavformat/utils.c
------------------------------------+------------------------------------
             Reporter:  timmyyuan   |                    Owner:
                 Type:  defect      |                   Status:  new
             Priority:  normal      |                Component:  avformat
              Version:  git-master  |               Resolution:
             Keywords:              |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+------------------------------------

Comment (by timmyyuan):

 Replying to [comment:1 cehoyos]:
 > How can I reproduce this issue?
 we found this flaw by a static analyzer. To trigger the double frees at
 line 682 ( id3v2_extra_meta, first freed at 659) or line 686 (id3v2_meta,
 first freed at 642), malloc error and memory corruption (corrupt size of
 AVPacket to be negative or very large number) can make the if-branchs goto
 the fail handler. And as a result, it will lead to double free to all
 applications calling avformat_open_input.
 {{{
 // file ffmpeg/libavformat/utils.c
 ...
 537 int avformat_open_input(AVFormatContext **ps, const char *filename,
 538                         AVInputFormat *fmt, AVDictionary **options)
 539 {
 ...
 642         av_dict_free(&s->internal->id3v2_meta);
 643         if (s->error_recognition & AV_EF_EXPLODE)
 644             return AVERROR_INVALIDDATA;
 645     }
 ...
 650             if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0)
 651                 goto fail;
 652             if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta))
 < 0)
 653                 goto fail;
 654             if ((ret = ff_id3v2_parse_priv(s, &id3v2_extra_meta)) < 0)
 655                 goto fail;
 ...
 659     ff_id3v2_free_extra_meta(&id3v2_extra_meta);
 660
 661     if ((ret = avformat_queue_attached_pictures(s)) < 0)
 662         goto fail;
 ...
 681 fail:
 682     ff_id3v2_free_extra_meta(&id3v2_extra_meta);
 683     av_dict_free(&tmp);
 684     if (s->pb && !(s->flags & AVFMT_FLAG_CUSTOM_IO))
 685         avio_closep(&s->pb);
 686     avformat_free_context(s);
 687     *ps = NULL;
 688     return ret;
 689 }
 ...
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/7193#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list