[FFmpeg-trac] #8222(avfilter:new): A potential Use-After-Free bug

FFmpeg trac at avcodec.org
Mon Oct 7 10:15:45 EEST 2019 

#8222: A potential Use-After-Free bug
-----------------------------------+--------------------------------------
             Reporter:  wurongxin  |                     Type:  defect
               Status:  new        |                 Priority:  normal
            Component:  avfilter   |                  Version:  git-master
             Keywords:             |               Blocked By:
             Blocking:             |  Reproduced by developer:  0
Analyzed by developer:  0          |
-----------------------------------+--------------------------------------
 Summary of the bug:
 How to reproduce:
 {{{
 % ffmpeg -i input ... output
 ffmpeg version
 built on ...
 }}}
 Patches should be submitted to the ffmpeg-devel mailing list and not this
 bug tracker.

 In the source file libavfilter/af_afftfilt.c, in the function "static int
 config_input", there is a potential use after free bug. Please see the
 following code snippet.

 At Line 174, the variable **arg** will be assigned with a substring
 separated by "|". If inlink->channels is 1, last_expr will point to the
 same memory location of args.

 At Line 185, "args" will be freed, and it indicates that last_expr is also
 freed.

 At Line 192, again "arg" is assigned with the substring of args separated
 by "|". If "arg" is null, then "last_expr" at Line 194 is used after free.



 173.    for (ch = 0; ch < inlink->channels; ch++) {
 174.        char *arg = av_strtok(ch == 0 ? args : NULL, "|", &saveptr);
 175.
 176.        ret = av_expr_parse(&s->real[ch], arg ? arg : last_expr,
 var_names,
 177.                            NULL, NULL, func2_names, func2, 0, ctx);
 178.        if (ret < 0)
 179.            break;
 180.        if (arg)
 181.            last_expr = arg;
 182.        s->nb_exprs++;
 183.    }
 184.
 185.    av_free(args);
 186.
 187.    args = av_strdup(s->img_str ? s->img_str : s->real_str);
 188.    if (!args)
 189.        return AVERROR(ENOMEM);
 190.
 191.    for (ch = 0; ch < inlink->channels; ch++) {
 192.        char *arg = av_strtok(ch == 0 ? args : NULL, "|", &saveptr);
 193.
 194.        ret = av_expr_parse(&s->imag[ch], arg ? arg : last_expr,
 var_names,
 195.                            NULL, NULL, func2_names, func2, 0, ctx);
 196.        if (ret < 0)
 197.            break;
 198.        if (arg)
 199.            last_expr = arg;
 200.    }

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8222>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list