From patchwork Sun Aug 9 15:57:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21554 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 131C044B9EE for ; Sun, 9 Aug 2020 18:58:33 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EB83368A8E9; Sun, 9 Aug 2020 18:58:32 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C751468A8E9 for ; Sun, 9 Aug 2020 18:58:25 +0300 (EEST) Received: by mail-ed1-f66.google.com with SMTP id v22so4686427edy.0 for ; Sun, 09 Aug 2020 08:58:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3JyuBEp5mIQdAE8lEjqVfWGHGxal/bodzhT4CP49KLQ=; b=pUjtzioPscJ4Cr+ev+uDx/xwz70Qa+abkiyXY44ISCrskp0PNBjq6JUNSUiD4Efxap VNAL3GSxoBTUlRObLEVhvSm0CqFo0lE3LzGb7M0n2fTmrbD+QCzE+jTub5tsUlJ21ZNX tj3osXpuf+NX8MTx39EJfjeoGMhqQqqXrkyl744f8lBd2kOxhdgtmaulUX1Gtb9ORsm8 i1jqziq3Utmm7QkqwQAtg0fr58uFSvNeI0W8vKQjEPGPFZ0mdCCpuVozsw+OPzGHgSEz HPpuLEeof23AHamLB+WXViuskW4Y/PtT7rWPDC0tukI2N3ooywp9+2UNbRn+dY2wvBMz JY6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3JyuBEp5mIQdAE8lEjqVfWGHGxal/bodzhT4CP49KLQ=; b=cfHkCejst2OmcfacjCHXNDE41c8tqJhHjROTK0JWg0TUZXKnmZ7UGuu3rkWVH5an8S 9mydRYN9gnRC5xqBT+wLe1w3wemjSZKDJQlZDXjsv7mxbPY5p5yWR3o3bZpZqEPXbiqy 1GclcBx7v4GcQXJHsNOeuRItaVLlYu3J0UfQHo7xH/Z6oTzaw1NqkVDs1RKu0A1Zmoxp x6pn2+rWWQyjw5b+0Leb0Ximnxiiw3KJ2HlLNXyXIGU8lzdADNPrmUMMkCMPkYXIjiZs ySc+vCYq8ozBgC+yJwpucSZ604+HrUqBXZobs6znVfxb59DRl0HcHJ80CS5QAiCaTnfC xVFg== X-Gm-Message-State: AOAM53005modGZaob4Tzzd6g3UMhNojB1gaOkh6LAgTJGgDIJ1zFpp/Z P/GZr5Ya6DH1UuADTKfwtZTLHv0P X-Google-Smtp-Source: ABdhPJzFaI3TsVQtt/9/YydWSVzg/UEgqgocaDLZ7Af/ms9c17a8uGntwS+iE+4wAFdpq0HXtTHPHA== X-Received: by 2002:a05:6402:b32:: with SMTP id bo18mr17708739edb.201.1596988704574; Sun, 09 Aug 2020 08:58:24 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id g11sm5360290edv.95.2020.08.09.08.58.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Aug 2020 08:58:24 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 9 Aug 2020 17:57:38 +0200 Message-Id: <20200809155748.30092-5-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200808140202.586-1-andreas.rheinhardt@gmail.com> References: <20200808140202.586-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 11/21] avfilter/af_amix: Fix double-free of AVFilterChannelLayouts on error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The query_formats function of the amix filter tries to allocate a list of channel layouts which are attached to more permanent objects (an AVFilter's links) for storage afterwards on success. If attaching a list to a link succeeds, the link becomes one of the common owners of the list. Yet if a list has been successfully attached to links (or if there were no links to attach it to in which case ff_set_common_channel_layouts() already frees the list) and an error happens lateron, the list was manually freed, which is wrong, because the list has either already been freed or it is owned by its links in which case these links' pointers to their list will become dangling and there will be double-frees/uses-after-free when these links are cleaned up automatically. This commit fixes this by removing the custom freeing code; this is made possible by using the list in ff_set_common_channel_layouts() directly after its allocation (without anything that can fail in between). Notice that ff_set_common_channel_layouts() is buggy itself which can lead to double-frees on error. This is not fixed in this commit. Signed-off-by: Andreas Rheinhardt --- libavfilter/af_amix.c | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index 6a4ef8d944..cae9d4585a 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -593,25 +593,13 @@ static int query_formats(AVFilterContext *ctx) AV_SAMPLE_FMT_DBL, AV_SAMPLE_FMT_DBLP, AV_SAMPLE_FMT_NONE }; - AVFilterChannelLayouts *layouts; int ret; - layouts = ff_all_channel_counts(); - if (!layouts) { - ret = AVERROR(ENOMEM); - goto fail; - } - if ((ret = ff_set_common_formats(ctx, ff_make_format_list(sample_fmts))) < 0 || - (ret = ff_set_common_channel_layouts(ctx, layouts)) < 0 || (ret = ff_set_common_samplerates(ctx, ff_all_samplerates())) < 0) - goto fail; - return 0; -fail: - if (layouts) - av_freep(&layouts->channel_layouts); - av_freep(&layouts); - return ret; + return ret; + + return ff_set_common_channel_layouts(ctx, ff_all_channel_counts()); } static int process_command(AVFilterContext *ctx, const char *cmd, const char *args,