[FFmpeg-trac] #8227(avfilter:new): A double-free bug in the source file libavfilter/lavfutils.c
FFmpeg
trac at avcodec.org
Mon Oct 7 17:03:16 EEST 2019
#8227: A double-free bug in the source file libavfilter/lavfutils.c
-----------------------------------+--------------------------------------
Reporter: wurongxin | Type: defect
Status: new | Priority: normal
Component: avfilter | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-----------------------------------+--------------------------------------
Summary of the bug:
How to reproduce:
{{{
% ffmpeg -i input ... output
ffmpeg version
built on ...
}}}
Patches should be submitted to the ffmpeg-devel mailing list and not this
bug tracker.
In the source file
https://github.com/FFmpeg/FFmpeg/blob/master/libavfilter/lavfutils.c,
there is a possible double-free bug. At Line 85, it will invoke the
function av_read_frame and would free the variable pkt->side_data. At Line
110, it will invoke the function av_packet_unref and would free the
variable pkt->side_data again.
{{{
85. ret = av_read_frame(format_ctx, &pkt);
86. if (ret < 0) {
87. av_log(log_ctx, AV_LOG_ERROR, "Failed to read frame from
file\n");
88. goto end;
89. }
…
109. end:
110. av_packet_unref(&pkt);
}}}
To see how the function av_read_frame can free the pkt->side_data, please
see the following code in the source file
https://github.com/FFmpeg/FFmpeg/blob/master/libavformat/utils.c. At Line
1854, it will invoke the function av_packet_unref and would free
pkt->side_data here.
{{{
1777. int av_read_frame(AVFormatContext *s, AVPacket *pkt)
1778. {
…
1850. ret = ff_packet_list_put(&s->internal->packet_buffer,
1851. &s->internal->packet_buffer_end,
1852. pkt, 0);
1853. if (ret < 0) {
1854. av_packet_unref(pkt);
1855. return ret;
1856. }
}}}
To see how the function av_packet_unref would free pkt->side_data, please
see the following code in the source file
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/avpacket.c. At
Line 601, it is the site where it free pkt->side_data.
{{{
599. void av_packet_unref(AVPacket *pkt)
600. {
601. av_packet_free_side_data(pkt);
602. av_buffer_unref(&pkt->buf);
603. av_init_packet(pkt);
604. pkt->data = NULL;
605. pkt->size = 0;
606. }
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8227>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list