| Message ID | 20200825140927.16433-19-andreas.rheinhardt@gmail.com |
|---|---|
| State | Accepted |
| Commit | 0960da42f5414a24497c75787ff4be318ae41421 |
| Headers | show |
| Series | [FFmpeg-devel,01/19] avfilter/avfilter: Fix indentation | expand |
| Context | Check | Description |
|---|---|---|
| andriy/default | pending | |
| andriy/make | success | Make finished |
| andriy/make_fate | success | Make fate finished |
On 8/25/20, Andreas Rheinhardt <andreas.rheinhardt@gmail.com> wrote: > The headphone filter uses a variable number of inpads and allocates them > in its init function; if all goes well, the number of inpads coincides > with a number stored in the filter's private context. Yet if allocating a > subsequent inpad fails, the uninit function nevertheless uses the number > stored in the private context to determine the number of inpads to free > and not the AVFilterContext's nb_inputs. This will lead to an access > beyond the end of the allocated AVFilterContext.input_pads array and > an invalid free. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> > --- > This is not the only thing wrong in this filter. Will send a separate > patchset for it. > > libavfilter/af_headphone.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > LGTM > diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c > index 552ad84837..751f4ab53d 100644 > --- a/libavfilter/af_headphone.c > +++ b/libavfilter/af_headphone.c > @@ -812,7 +812,6 @@ static int config_output(AVFilterLink *outlink) > static av_cold void uninit(AVFilterContext *ctx) > { > HeadphoneContext *s = ctx->priv; > - int i; > > av_fft_end(s->ifft[0]); > av_fft_end(s->ifft[1]); > @@ -834,11 +833,9 @@ static av_cold void uninit(AVFilterContext *ctx) > av_freep(&s->data_hrtf[1]); > av_freep(&s->fdsp); > > - for (i = 0; i < s->nb_inputs; i++) { > - if (ctx->input_pads && i) > - av_freep(&ctx->input_pads[i].name); > - } > av_freep(&s->in); > + for (unsigned i = 1; i < ctx->nb_inputs; i++) > + av_freep(&ctx->input_pads[i].name); > } > > #define OFFSET(x) offsetof(HeadphoneContext, x) > -- > 2.20.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavfilter/af_headphone.c b/libavfilter/af_headphone.c index 552ad84837..751f4ab53d 100644 --- a/libavfilter/af_headphone.c +++ b/libavfilter/af_headphone.c @@ -812,7 +812,6 @@ static int config_output(AVFilterLink *outlink) static av_cold void uninit(AVFilterContext *ctx) { HeadphoneContext *s = ctx->priv; - int i; av_fft_end(s->ifft[0]); av_fft_end(s->ifft[1]); @@ -834,11 +833,9 @@ static av_cold void uninit(AVFilterContext *ctx) av_freep(&s->data_hrtf[1]); av_freep(&s->fdsp); - for (i = 0; i < s->nb_inputs; i++) { - if (ctx->input_pads && i) - av_freep(&ctx->input_pads[i].name); - } av_freep(&s->in); + for (unsigned i = 1; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } #define OFFSET(x) offsetof(HeadphoneContext, x)
The headphone filter uses a variable number of inpads and allocates them in its init function; if all goes well, the number of inpads coincides with a number stored in the filter's private context. Yet if allocating a subsequent inpad fails, the uninit function nevertheless uses the number stored in the private context to determine the number of inpads to free and not the AVFilterContext's nb_inputs. This will lead to an access beyond the end of the allocated AVFilterContext.input_pads array and an invalid free. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- This is not the only thing wrong in this filter. Will send a separate patchset for it. libavfilter/af_headphone.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)