[FFmpeg-devel] avfilter/vf_unsharp: Don't dereference NULL

Submitted by Andreas Rheinhardt on Dec. 1, 2019, 9:56 a.m.

Details

Message ID 20191201095626.15871-1-andreas.rheinhardt@gmail.com
State Accepted
Commit 710ab136931ff228b355d87512b0d4ca4e94656a
Headers show

Commit Message

Andreas Rheinhardt Dec. 1, 2019, 9:56 a.m.
The unsharp filter uses an array of arrays of uint32_t, each of which is
separately allocated. These arrays also need to freed separately; but
before doing so, one needs to check whether the array of arrays has
actually been allocated, otherwise one would dereference a NULL pointer.
This fixes #8408.

Furthermore, the array of arrays needs to be zero-initialized so that
no uninitialized pointer will be freed in case an allocation of one of
the individual arrays fails.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavfilter/vf_unsharp.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Paul B Mahol Dec. 1, 2019, 10:04 a.m.
LGTM

On 12/1/19, Andreas Rheinhardt <andreas.rheinhardt@gmail.com> wrote:
> The unsharp filter uses an array of arrays of uint32_t, each of which is
> separately allocated. These arrays also need to freed separately; but
> before doing so, one needs to check whether the array of arrays has
> actually been allocated, otherwise one would dereference a NULL pointer.
> This fixes #8408.
>
> Furthermore, the array of arrays needs to be zero-initialized so that
> no uninitialized pointer will be freed in case an allocation of one of
> the individual arrays fails.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> ---
>  libavfilter/vf_unsharp.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c
> index 95b4968d41..7b430b650d 100644
> --- a/libavfilter/vf_unsharp.c
> +++ b/libavfilter/vf_unsharp.c
> @@ -218,7 +218,7 @@ static int init_filter_param(AVFilterContext *ctx,
> UnsharpFilterParam *fp, const
>             effect, effect_type, fp->msize_x, fp->msize_y, fp->amount /
> 65535.0);
>
>      fp->sr = av_malloc_array((MAX_MATRIX_SIZE - 1) * s->nb_threads,
> sizeof(uint32_t));
> -    fp->sc = av_malloc_array(2 * fp->steps_y * s->nb_threads,
> sizeof(uint32_t **));
> +    fp->sc = av_mallocz_array(2 * fp->steps_y * s->nb_threads,
> sizeof(uint32_t *));
>      if (!fp->sr || !fp->sc)
>          return AVERROR(ENOMEM);
>
> @@ -258,9 +258,11 @@ static void free_filter_param(UnsharpFilterParam *fp,
> int nb_threads)
>  {
>      int z;
>
> -    for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
> -        av_freep(&fp->sc[z]);
> -    av_freep(&fp->sc);
> +    if (fp->sc) {
> +        for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
> +            av_freep(&fp->sc[z]);
> +        av_freep(&fp->sc);
> +    }
>      av_freep(&fp->sr);
>  }
>
> --
> 2.20.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Dec. 3, 2019, 8:55 a.m.
On Sun, Dec 01, 2019 at 11:04:36AM +0100, Paul B Mahol wrote:
> LGTM

will apply

thx

[...]

Patch hide | download patch | download mbox

diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c
index 95b4968d41..7b430b650d 100644
--- a/libavfilter/vf_unsharp.c
+++ b/libavfilter/vf_unsharp.c
@@ -218,7 +218,7 @@  static int init_filter_param(AVFilterContext *ctx, UnsharpFilterParam *fp, const
            effect, effect_type, fp->msize_x, fp->msize_y, fp->amount / 65535.0);
 
     fp->sr = av_malloc_array((MAX_MATRIX_SIZE - 1) * s->nb_threads, sizeof(uint32_t));
-    fp->sc = av_malloc_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t **));
+    fp->sc = av_mallocz_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t *));
     if (!fp->sr || !fp->sc)
         return AVERROR(ENOMEM);
 
@@ -258,9 +258,11 @@  static void free_filter_param(UnsharpFilterParam *fp, int nb_threads)
 {
     int z;
 
-    for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
-        av_freep(&fp->sc[z]);
-    av_freep(&fp->sc);
+    if (fp->sc) {
+        for (z = 0; z < 2 * fp->steps_y * nb_threads; z++)
+            av_freep(&fp->sc[z]);
+        av_freep(&fp->sc);
+    }
     av_freep(&fp->sr);
 }