[FFmpeg-trac] #8229(undetermined:closed): A potential Use-After-Free bug in the source file libavfilter/vf_hwmap.c

FFmpeg trac at avcodec.org
Sat Oct 12 06:10:49 EEST 2019 

#8229: A potential Use-After-Free bug in the source file libavfilter/vf_hwmap.c
-------------------------------------+-------------------------------------
             Reporter:  wurongxin    |                    Owner:
                 Type:  defect       |                   Status:  closed
             Priority:  normal       |                Component:
                                     |  undetermined
              Version:  git-master   |               Resolution:  invalid
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by mkver):

 * priority:  critical => normal
 * resolution:   => invalid
 * status:  new => closed
 * component:  avfilter => undetermined


Comment:

 > At Line 828, the copy of the variable derived_device_ctx will be created
 and assigned to the variable dst_ref. Since this copy is a shallow copy,
 dst_ref->buffer is actually the same memory address as
 derived_device_ctx->buffer. At Line 870, dst_ref->buffer can be freed when
 calling to the function av_buffer_unref.
 No.
 1. dst_ref->buffer is not the same as derived_device_ctx->buffer;
 ((AVHWFramesContext*) dst_ref->buffer)->device_ref->buffer is.
 2. But more importantly, you completely ignored/misunderstood that we are
 dealing with reference counted buffers here:\\
    a) If the call to av_hwframe_ctx_alloc() fails, the reference counter
 of the underlying AVBuffer of derived_device_ctx is the same as before the
 call and dst_ref is NULL, so that av_buffer_unref(&dst_ref) is basically a
 no-op.\\
    b) If the call to av_hwframe_ctx_alloc() succeeds, the reference
 counter to derived_device_ctx has been incremented by 1. Should we goto
 fail in av_hwframe_ctx_create_derived() lateron, dst_ref will be
 unreferenced; given that the reference counter of the underlying AVBuffer
 (which is different from the underlying AVBuffer of derived_device_ctx) is
 certain to be 1 at this point, this will trigger freeing of the underlying
 buffer via hwframe_ctx_free(). This in turn will unreference
 ((AVHWFramesContext*) dst_ref->buffer)->device_ref and therefore decrement
 the reference counter of the underlying buffer of derived_device_ctx, but
 it will not free this buffer; it will just undo the earlier increment.

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8229#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list