From patchwork Mon Jan 27 08:28:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 17583 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 576AF44B390 for ; Mon, 27 Jan 2020 10:29:08 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 423B968B0B5; Mon, 27 Jan 2020 10:29:08 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E77F068AF42 for ; Mon, 27 Jan 2020 10:29:01 +0200 (EET) Received: by mail-wm1-f68.google.com with SMTP id c84so6027364wme.4 for ; Mon, 27 Jan 2020 00:29:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2jtul1TsLuVIMXjFE7HTHwH93vI/Yjk2YrTW3C7uHYQ=; b=jq6izbmtPAKjgCsBzpjVD3aj18iw4Mh94JrZSPLmHu+YybRCP3iyNCwxE4Bj4DGN2R xTWHLD9cXPouYmhH/pnMjzXwUxdT+hG27vxXZH684fATA6GOVlNa2Ozlvf4/bBuM7mdb nC7nSwMjTnyNtWOF7QiM2XgeN/4atPw8xmWZRIgFsrbZhlyV6K+D4tCWcWIC9oaEiUe2 sarM6GcvqADr8pvXOBw9gZ57K7GGg5U5A9+OSP35EnBJApPQkKNTtM0xP1xmdwE2C+7r fSfWCIqijNI2evgbTIH/nzpnYKPXp4g3IAvXU02u2UNsus0/V1XP4SvI2NwLFDEakXwS F9zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2jtul1TsLuVIMXjFE7HTHwH93vI/Yjk2YrTW3C7uHYQ=; b=ad7jxLAhjInz0dNxnVdI+QupQftEOvAy2jUITWL2lKQyMXcsx7qGZRQZZeifSsLG86 o1vPQrs3yQdt5SFdrxOS5GCSo2TrCjxNfAZHmoysz/IcHNpODpDgeDbtBsx+iXs/xji6 kTpJD6CArOmZFSvmf4CJVQ7pzNZUiazwWPmtMygPex3x5WQUBx4D2rIOyNOcmtvcsYfq tRVAsz/SmquZSbdNAF6SZfmBVo6Neh6NRF7Zrt252HLaFVDyTEFVDFXBFu0jygRqvoWG VVAPnobJXzfJfaKsKwsE93G7zXgRthDLWbNDCXKtR3RtgLbdVozbz+7EQ25lUn/AOpla 8aJg== X-Gm-Message-State: APjAAAX67cQuOFUtWOr20fccYeAMyWmpCb16yOzya/6v++7S+66nhnJd 4oN7U1GTF6BJi5F5Dj4UGW1kpwDL X-Google-Smtp-Source: APXvYqz5DfHtZ6TdpDe6xcv39LqAbl+Et76xeSwc3PO8dsKxmgP9i4YW7xa3DxRhUlDvA/V0Q9zJkg== X-Received: by 2002:a1c:a952:: with SMTP id s79mr13066938wme.83.1580113741253; Mon, 27 Jan 2020 00:29:01 -0800 (PST) Received: from sblaptop.fritz.box (ipbcc08bbf.dynamic.kabel-deutschland.de. [188.192.139.191]) by smtp.gmail.com with ESMTPSA id o2sm16974156wmh.46.2020.01.27.00.29.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Jan 2020 00:29:00 -0800 (PST) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 27 Jan 2020 09:28:20 +0100 Message-Id: <20200127082821.22770-3-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200127082821.22770-1-andreas.rheinhardt@gmail.com> References: <20200127082821.22770-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/4] avfilter/vf_paletteuse: Fix potential double-free of AVFrame X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" apply_palette() would free an AVFrame given to it only via an AVFrame * (and not via AVFrame **) in three of its four exists (namely in the normal path and in two error paths). So upon error the caller has no way to know whether the frame has already been freed or not; load_apply_palette(), the only caller, opted to free the frame in this scenario. This commit changes this by making apply_palette not freeing the frame at all, which is left to load_apply_palette(). Fixes Coverity issue #1452434. Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_paletteuse.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/libavfilter/vf_paletteuse.c b/libavfilter/vf_paletteuse.c index ed128813d6..255c9d79e3 100644 --- a/libavfilter/vf_paletteuse.c +++ b/libavfilter/vf_paletteuse.c @@ -903,7 +903,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) AVFrame *out = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!out) { - av_frame_free(&in); *outf = NULL; return AVERROR(ENOMEM); } @@ -916,7 +915,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) if (av_frame_ref(s->last_in, in) < 0 || av_frame_ref(s->last_out, out) < 0 || av_frame_make_writable(s->last_in) < 0) { - av_frame_free(&in); av_frame_free(&out); *outf = NULL; return AVERROR(ENOMEM); @@ -934,7 +932,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) memcpy(out->data[1], s->palette, AVPALETTE_SIZE); if (s->calc_mean_err) debug_mean_error(s, in, out, inlink->frame_count_out); - av_frame_free(&in); *outf = out; return 0; } @@ -1023,20 +1020,17 @@ static int load_apply_palette(FFFrameSync *fs) if (ret < 0) return ret; if (!master || !second) { - ret = AVERROR_BUG; - goto error; + av_frame_free(&master); + return AVERROR_BUG; } if (!s->palette_loaded) { load_palette(s, second); } ret = apply_palette(inlink, master, &out); + av_frame_free(&master); if (ret < 0) - goto error; + return ret; return ff_filter_frame(ctx->outputs[0], out); - -error: - av_frame_free(&master); - return ret; } #define DEFINE_SET_FRAME(color_search, name, value) \