From patchwork Sun Aug 9 15:57:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21560 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0AB4944B9EE for ; Sun, 9 Aug 2020 18:58:40 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DE86268AE6E; Sun, 9 Aug 2020 18:58:39 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8183168AA08 for ; Sun, 9 Aug 2020 18:58:29 +0300 (EEST) Received: by mail-ed1-f66.google.com with SMTP id c10so4678148edk.6 for ; Sun, 09 Aug 2020 08:58:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=V9Evqcs1HPqqDRcdSZ5EJdYz8OfODPhxVXZ/PgzmDhY=; b=AwA/h/7+frlH+SsZvUeuc+k/iiCUWWDjbV03pZPYNlbwuo4dcAK1wYYS3NWPyzuS6w FdnYNtpkNVjAv8PHtDOput9thgqU+ggpLsRXJHf9CwInIzNzi0M8xjSKSzRVnrbjTlec BKsZ2BMxXJawMfIecFyNscMdHWnexjFMJyrkz7Jx9M4AkAjXoJsT6EE0Yl+3gKBbeTFi RqEa3IV8vfTOIFmmzvA6g7LLOUIBzypntCLQxRZnIQSGdl+5AAhNsuHZWDAcoe4L9z8B BaXQgQ9pC0hwuVH1FFnHsuUrbuhT0cLwnwAmAwhL/MkiC+LrCegpp0SxAKGlIkFjZY9j 3s7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=V9Evqcs1HPqqDRcdSZ5EJdYz8OfODPhxVXZ/PgzmDhY=; b=Pd4eGLhZRfxsmdZcwQKAOa0pIDSnuUDD9gV9tdoWAv1u5Z6KahaNuJu67TAS4wpPRX 26jv0CJLV0bei38NRk9eJv3PotXNsPvEgUIm99LmHIZ4IHrPnWd7/jZ+/BTMNc9b/j/k LdC9BslYS+TUMVYpl6amvWBA4KtDwQAl3OnFFJHyhGKSFTA+dlaxwrXmWTwzBC0MxfhD gG6PQAjeb6CPNYfyS3r9eKquw6mERSIAnvwBG+p8UAGR9uiCzVYTW/puVMNb9Y8pn1lR wHmhocmWwgSZkkMx+46Hn1KZR9FKRovGDZbegmzre+GEFNyCuA9c5ac7OouUPehG1NgQ pGyQ== X-Gm-Message-State: AOAM532mad35GPE+wD+mxRDb6ceGbsKIP3JMCL9MsA/G15o9wnH31Sjj IzBIAF3wSdhQySa+3R6cLpcg3Ztd X-Google-Smtp-Source: ABdhPJxsQKso1xyk6aXL4t8dMwj9m6eCwl9QJkUSr2I7hGUCQF3zlIKss7RNNwsxezizntCW3i49tw== X-Received: by 2002:a50:e004:: with SMTP id e4mr5974921edl.114.1596988708656; Sun, 09 Aug 2020 08:58:28 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id g11sm5360290edv.95.2020.08.09.08.58.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Aug 2020 08:58:28 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 9 Aug 2020 17:57:42 +0200 Message-Id: <20200809155748.30092-9-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200808140202.586-1-andreas.rheinhardt@gmail.com> References: <20200808140202.586-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 15/21] avfilter/vf_alphamerge: Fix double-free of AVFilterFormats on error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The query_formats function of the alphamerge filter tries to allocate two lists of formats which on success are attached to more permanent objects (AVFilterLinks) for storage afterwards. If attaching a list to an AVFilterLink succeeds, the link becomes one of the owners of the list. Yet if attaching a list to one of its links succeeds and an error happens lateron, both lists were manually freed, which is wrong if the list is already owned by one or more links; these links' pointers to their lists will become dangling and there will be a double-free/use- after-free when these links are cleaned up automatically. This commit fixes this by removing the custom freeing code; this will temporarily add a leaking codepath (if attaching a list not already owned by a link to a link fails, the list will leak), but this will be fixed soon by making sure that an AVFilterFormats without owner will be automatically freed when attaching it to an AVFilterLink fails. At most one list leaks because as of this commit a new list is only allocated after the old list has been successfully attached to a link. Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_alphamerge.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/libavfilter/vf_alphamerge.c b/libavfilter/vf_alphamerge.c index 85b6d9b61a..a509f10103 100644 --- a/libavfilter/vf_alphamerge.c +++ b/libavfilter/vf_alphamerge.c @@ -55,27 +55,15 @@ static int query_formats(AVFilterContext *ctx) AV_PIX_FMT_NONE }; static const enum AVPixelFormat alpha_fmts[] = { AV_PIX_FMT_GRAY8, AV_PIX_FMT_NONE }; - AVFilterFormats *main_formats = NULL, *alpha_formats = NULL; + AVFilterFormats *main_formats = ff_make_format_list(main_fmts); int ret; - if (!(main_formats = ff_make_format_list(main_fmts)) || - !(alpha_formats = ff_make_format_list(alpha_fmts))) { - ret = AVERROR(ENOMEM); - goto fail; - } - if ((ret = ff_formats_ref(main_formats , &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(alpha_formats, &ctx->inputs[1]->out_formats)) < 0 || - (ret = ff_formats_ref(main_formats , &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (main_formats) - av_freep(&main_formats->formats); - av_freep(&main_formats); - if (alpha_formats) - av_freep(&alpha_formats->formats); - av_freep(&alpha_formats); - return ret; + if ((ret = ff_formats_ref(main_formats, &ctx->inputs[0]->out_formats)) < 0 || + (ret = ff_formats_ref(main_formats, &ctx->outputs[0]->in_formats)) < 0) + return ret; + + return ff_formats_ref(ff_make_format_list(alpha_fmts), + &ctx->inputs[1]->out_formats); } static int config_input_main(AVFilterLink *inlink)