From patchwork Sun Aug 9 15:57:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21555 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0A0E644B9EE for ; Sun, 9 Aug 2020 18:58:35 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E48B268AD2F; Sun, 9 Aug 2020 18:58:34 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AAB1368AB04 for ; Sun, 9 Aug 2020 18:58:26 +0300 (EEST) Received: by mail-ed1-f65.google.com with SMTP id cq28so4504528edb.10 for ; Sun, 09 Aug 2020 08:58:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=WiSLbgnFtV3Ki5KB+lkDqVP2zq5NgFieR5ydNI7i6xw=; b=YRBQf0xQiYRM4U7+WRIgqhFxnDOZzKWXpg5XXgw1SqeH/z4SFE7xKAXvGfS3Y8kDjP J4yK62QnXm95P0AMqlQ4OTvM/vF+TfMXz1gc9MU/kuFaJX1nEN/sCk7+V4qkrcnKMKXE fP/olz67Ros4kTsWx9hlj7Rl+lECBQgwEhDJ4UxZ2Zv+c7UvNRlhL98gunz+Pxa3kM+7 +ipEIqQ2yQXzhvGvwfyeGeYCzsyeMlbKpKPPNKm31TC3d/njlUBTzw651IL7AMqhzujD ZxG7GFHxsTKmQLJpAjSepnMgNGImt8GhQGcQ1svr8TVRJq1E1TpbBGVlUo+KxeEnvDTf QpoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WiSLbgnFtV3Ki5KB+lkDqVP2zq5NgFieR5ydNI7i6xw=; b=eCUIer6dfij3MnpliAO+ZIpDQGVU1M3X1u+2++7pYGafOdu2/47yd0fOj5E25+UOcK KL5q56xcsj1czTIGXTLbhDMTG5eQivD5n3VcL3Ay17WhtPP0W0x71gwIXgajy2EvSFsK Qeihndxh1pS3oVH+WUv5EOixzcj51c8Rcj7MwfFMA6RjG/TOD7XtXUq9BK8IGogtbYGF EE6mbcW6hrRstlK4Og26UZuy+F+9GDJYItDe2nS4nwVh7+RQsphQ6I5bATFPoCYHmFVC x2g7ZnEmq3Kadu9mA36dMQH8s1D/aSN/QA0+gO5TjKQVLU0NU9PkWI0I7PJ6kjBVaD+K uTvg== X-Gm-Message-State: AOAM532LtIWLePadEghp10Ovd9jcQV7noHoJIP93qzeZ2/91Jl4nw7io Eq48jItc6HTcF5HwcQs9PjIyN2nl X-Google-Smtp-Source: ABdhPJzD+rrnODEfHtRFXmu5jrKm4s2ftqJvmU+sfWPpTo9vkSYMAV5FdnTE4/UtA2glXfwdfMD/Ow== X-Received: by 2002:a50:e087:: with SMTP id f7mr18122063edl.174.1596988705617; Sun, 09 Aug 2020 08:58:25 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id g11sm5360290edv.95.2020.08.09.08.58.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Aug 2020 08:58:25 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 9 Aug 2020 17:57:39 +0200 Message-Id: <20200809155748.30092-6-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200808140202.586-1-andreas.rheinhardt@gmail.com> References: <20200808140202.586-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 12/21] avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The query_formats function of the showpalette filter tries to allocate two lists of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, the link becomes one (in this case the only one) of the owners of the list. Yet if attaching the first list to its link succeeds and attaching the second list fails, both lists were manually freed, which means that the first link's pointer to the first list becomes dangling and there will be a double-free when the first link is cleaned up automatically. This commit fixes this by removing the custom free code; this will temporarily add a leaking codepath (if attaching a list to a link fails, the list will leak), but this will be fixed shortly by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. Notice at most one list leaks because as of this commit a new list is only allocated after the old list has been successfully attached to a link. Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_showpalette.c | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/libavfilter/vf_showpalette.c b/libavfilter/vf_showpalette.c index f715d6bc2c..c32dbd5b5d 100644 --- a/libavfilter/vf_showpalette.c +++ b/libavfilter/vf_showpalette.c @@ -46,26 +46,13 @@ static int query_formats(AVFilterContext *ctx) { static const enum AVPixelFormat in_fmts[] = {AV_PIX_FMT_PAL8, AV_PIX_FMT_NONE}; static const enum AVPixelFormat out_fmts[] = {AV_PIX_FMT_RGB32, AV_PIX_FMT_NONE}; - int ret; - AVFilterFormats *in = ff_make_format_list(in_fmts); - AVFilterFormats *out = ff_make_format_list(out_fmts); - if (!in || !out) { - ret = AVERROR(ENOMEM); - goto fail; - } + int ret = ff_formats_ref(ff_make_format_list(in_fmts), + &ctx->inputs[0]->out_formats); + if (ret < 0) + return ret; - if ((ret = ff_formats_ref(in , &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(out, &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (in) - av_freep(&in->formats); - av_freep(&in); - if (out) - av_freep(&out->formats); - av_freep(&out); - return ret; + return ff_formats_ref(ff_make_format_list(out_fmts), + &ctx->outputs[0]->in_formats); } static int config_output(AVFilterLink *outlink)