From patchwork Sun Aug 9 15:57:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21557 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0EF0F44B9EE for ; Sun, 9 Aug 2020 18:58:37 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EA4F668AD72; Sun, 9 Aug 2020 18:58:36 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AC03968A9E1 for ; Sun, 9 Aug 2020 18:58:27 +0300 (EEST) Received: by mail-ed1-f67.google.com with SMTP id q4so4663936edv.13 for ; Sun, 09 Aug 2020 08:58:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=KjhhMRvuDQ18liC/kNXb9HrmbaKSGNocNmQenyL2zZE=; b=D0Q0elQUowzgidajEjZGBCq8zYkKHdjJCxSwMM0uxpbO3RG07OR90CZmtgIpKnvR3M dT6uHE/SCjxH8hKkh1rnDGoxu5W+EmaFoBkYx2TkrF/CwxAzxynbpkWGs3JMbSmcR5ii DlowP+IbzymdM1/jtSIjYNUOG6e4ffHtMaqYVeHTONFu2rBgfrKTwChjMyrmv2kBWaSX R+LEj8FsGaPZCPBUNdOlWekeyVpz7/vM4pwrJ9k/Ihj3UIsUX2ShmP+h8bmbD6pfL+bm Hf6skldSrv84onlkC/muGdEh3crPRWlM84t6GH4ZJxYg3yrzmcJ7SfuZmrrx9u2wuUA6 RkzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KjhhMRvuDQ18liC/kNXb9HrmbaKSGNocNmQenyL2zZE=; b=WWRXRCdJePtHg7wOwKzkplgYUqWgfbQD8/LdyXqHJG9x/qnIP64zWu61do8iRyCF4I uXaHib55l/gVD+MaDc46QIb9GD6el+yNjSahP7zct74sPed/wMY+tnVATQbQ2eRG399+ ezJ3bzc1+YHfvVw7vRDsr4h5ApOpjRayL2XfbaIul+zW3I02dodPVY51fnonh1A1aJF9 Zro4wO6TKRZd0s4nFq6Q6jSYZ237W82/IkaOGkSoy1nC/EHfnXRAtzljaiAHO+v3C5sc kYlucOkwmZW+YjA3m7VKpbpGPy86zX5vEvF5HnN2QXBOcEv2IRYTmznENIc7Wzmk9yrT s3uA== X-Gm-Message-State: AOAM53122os5h97CfNxboGoMdVAiu7BNbSSuBm8nyGdCbcdBekJ28QfQ tUc8T5ozt+nNlzOC6LKzgI1wzY6n X-Google-Smtp-Source: ABdhPJywyrdxH2Y4w1MYcGKm0gNiMWmNhBBiBksA9bu6bDjVmjTe7tLVe75GB4v504A0cqKbkjachw== X-Received: by 2002:a05:6402:22d9:: with SMTP id dm25mr17167776edb.2.1596988706692; Sun, 09 Aug 2020 08:58:26 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id g11sm5360290edv.95.2020.08.09.08.58.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Aug 2020 08:58:26 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 9 Aug 2020 17:57:40 +0200 Message-Id: <20200809155748.30092-7-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200808140202.586-1-andreas.rheinhardt@gmail.com> References: <20200808140202.586-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 13/21] avfilter/vf_remap: Fix double-free of AVFilterFormats on error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The query_formats function of the remap filter tries to allocate two lists of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, it is in turn owned by the AVFilterLink (or more exactly, the AVFilterLink becomes one of the common owners of the list). Yet if attaching a list to one of its links succeeds and an error happens lateron, both lists were manually freed, which means that is wrong if the list is already owned by one or more links; these links' pointers to their lists will become dangling and there will be a double-free/use-after- free when these links are cleaned up automatically. This commit fixes this by removing the custom free code; this will temporarily add a leaking codepath (if attaching a list not already owned by a link to a link fails, the list will leak), but this will be fixed soon by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. Notice at most one list leaks because a new list is only allocated after the old list has been successfully attached to a link. Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_remap.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/libavfilter/vf_remap.c b/libavfilter/vf_remap.c index 6d5d75225b..41a2409f21 100644 --- a/libavfilter/vf_remap.c +++ b/libavfilter/vf_remap.c @@ -115,25 +115,15 @@ static int query_formats(AVFilterContext *ctx) AVFilterFormats *pix_formats = NULL, *map_formats = NULL; int ret; - if (!(pix_formats = ff_make_format_list(s->format ? gray_pix_fmts : pix_fmts)) || - !(map_formats = ff_make_format_list(map_fmts))) { - ret = AVERROR(ENOMEM); - goto fail; - } + pix_formats = ff_make_format_list(s->format ? gray_pix_fmts : pix_fmts); if ((ret = ff_formats_ref(pix_formats, &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(map_formats, &ctx->inputs[1]->out_formats)) < 0 || - (ret = ff_formats_ref(map_formats, &ctx->inputs[2]->out_formats)) < 0 || (ret = ff_formats_ref(pix_formats, &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (pix_formats) - av_freep(&pix_formats->formats); - av_freep(&pix_formats); - if (map_formats) - av_freep(&map_formats->formats); - av_freep(&map_formats); - return ret; + return ret; + + map_formats = ff_make_format_list(map_fmts); + if ((ret = ff_formats_ref(map_formats, &ctx->inputs[1]->out_formats)) < 0) + return ret; + return ff_formats_ref(map_formats, &ctx->inputs[2]->out_formats); } /**