From patchwork Sat Sep 19 16:35:57 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 22492
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 21C2C44A83E
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 19 Sep 2020 19:37:32 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0DCE268B7BF;
	Sat, 19 Sep 2020 19:37:32 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com
 [209.85.128.67])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D359868B77C
 for <ffmpeg-devel@ffmpeg.org>; Sat, 19 Sep 2020 19:37:20 +0300 (EEST)
Received: by mail-wm1-f67.google.com with SMTP id e11so8747062wme.0
 for <ffmpeg-devel@ffmpeg.org>; Sat, 19 Sep 2020 09:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=FUdLgtAKApwEGsH2EsH4k9nMSq1uaDCueU6huV0YlhM=;
 b=pQEYkKYk69ndKvYa/F0fd3Krqw32xF87Uc0MAf7ZTYBa7B41fi7MSe2aiAXHsXTNHK
 WYiphGRs1zSG5YmF/i4uXz8ZPdAe9s52wFgecA0QXbKd5LoA2ARs/Q9uYpad40bm64ss
 u1P+G1oGiE86R4s3kwI5RhgG6yNGwcZ43eBs74h/ObrSwEZmByIkoiGr4pqGfmUVTxG9
 N9c0btIh8xoAp4uNUhPrfgMJaH5KrZeJd8FVCfc/P+Fu2yrmvXUt/PxoAGy7mPuyCayc
 3843zNzFzDE7qAx2EKbLiU5kAnmbhdlocmjVVr5lmCGYY6CBYTs0jOYTYAjWvWtUSWTJ
 Dppw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=FUdLgtAKApwEGsH2EsH4k9nMSq1uaDCueU6huV0YlhM=;
 b=ZDcP/QCRnd1+x1axqoQMVwiQMSzkGqZnB3QoSjEAScSCzlH8VSbD9bieSOQM2HuSZP
 eF7s7AcCOu4AQDTqpW8JjipXcsKgXG9W2X3OrCpCGA7VT5QtYkme+a8pSwuQeIO7RsOn
 lIe1LZzR9ZzgnQiljXIhCu5lwVatAZcp1Pdux7bLKd4zAOeeSdmM2XB40vzhO3WAyz6N
 jrdc0Qf+Ao9Gi1Z56+te8+X7zjL9/rJYkJnupRyUkld9NJe38qyDb3qinJd9PnlTw5Y5
 sM19FcEoZ8C6qd09JFPQImUN1a2n6ODAnPoUziEDCzYv2M8eqNjBTnMRZlQ0yUirk/oW
 7Y/A==
X-Gm-Message-State: AOAM531C6mdsRntfMQ/pB2SF60NXnfNGmPgmhM8tJnMp4225HZeMt4+k
 L2BsBeH1KXvJZVB4osG2JeuS6n90gw4=
X-Google-Smtp-Source: 
 ABdhPJxLYyX4EJ+xMEYl3HUmTSwcslWG2LWMZm/4Lyw+QYIgD5ZmfBidm1HNe3yhrjQmHNHATgk4LA==
X-Received: by 2002:a1c:c256:: with SMTP id s83mr21485210wmf.93.1600533439913;
 Sat, 19 Sep 2020 09:37:19 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc1fb0f.dynamic.kabel-deutschland.de.
 [188.193.251.15])
 by smtp.gmail.com with ESMTPSA id d5sm12451137wrb.28.2020.09.19.09.37.18
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 19 Sep 2020 09:37:19 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 19 Sep 2020 18:35:57 +0200
Message-Id: <20200919163610.1099233-8-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200919163610.1099233-1-andreas.rheinhardt@gmail.com>
References: <20200919163610.1099233-1-andreas.rheinhardt@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 08/21] avformat/dashdec,
	hls: Update correct pointer to AVDictionary
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

open_url() in the DASH as well in the hls demuxer share a common bug:
They modify an AVDictionary (i.e. set a new entry) given to them as
AVDictionary *, yet if this new entry leads to reallocation and
relocation of the AVDictionary, the caller's pointer will become
dangling, leading to use-after-frees. So pass an AVDictionary **.

(With the current implementation of AVDictionary the above can only
happen if the AVDictionary was empty initially (in which case the
new AVDictionary leaks); furthermore if the I/O is ordinary (i.e. opened
by avio_open2() or ffio_open_whitelist()), the dict is never empty (it
contains an rw_timeout entry from save_avio_options()). So this issue
could only happen if the caller sets a nondefault io_open callback, but
no AVIOContext (the AVFMT_FLAG_CUSTOM_IO flag won't be set in this
case). In case of the HLS demuxer, it was also necessary that setting
the "seekable" entry failed. Yet one should simply not rely on internals
of the AVDict API.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/dashdec.c |  8 ++++----
 libavformat/hls.c     | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index ee40f2aa0c..55212661be 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -400,7 +400,7 @@ static void free_subtitle_list(DASHContext *c)
 }
 
 static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
-                    AVDictionary *opts, AVDictionary *opts2, int *is_http)
+                    AVDictionary **opts, AVDictionary *opts2, int *is_http)
 {
     DASHContext *c = s->priv_data;
     AVDictionary *tmp = NULL;
@@ -440,7 +440,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
         return AVERROR_INVALIDDATA;
 
     av_freep(pb);
-    av_dict_copy(&tmp, opts, 0);
+    av_dict_copy(&tmp, *opts, 0);
     av_dict_copy(&tmp, opts2, 0);
     ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp);
     if (ret >= 0) {
@@ -451,7 +451,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
             av_opt_get(*pb, "cookies", AV_OPT_SEARCH_CHILDREN, (uint8_t**)&new_cookies);
 
         if (new_cookies) {
-            av_dict_set(&opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL);
+            av_dict_set(opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL);
         }
 
     }
@@ -1714,7 +1714,7 @@ static int open_input(DASHContext *c, struct representation *pls, struct fragmen
     ff_make_absolute_url(url, c->max_url_size, c->base_url, seg->url);
     av_log(pls->parent, AV_LOG_VERBOSE, "DASH request for url '%s', offset %"PRId64", playlist %d\n",
            url, seg->url_offset, pls->rep_idx);
-    ret = open_url(pls->parent, &pls->input, url, c->avio_opts, opts, NULL);
+    ret = open_url(pls->parent, &pls->input, url, &c->avio_opts, opts, NULL);
 
 cleanup:
     av_free(url);
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 3ab07f1b3f..f33ff3f645 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -617,7 +617,7 @@ static int open_url_keepalive(AVFormatContext *s, AVIOContext **pb,
 }
 
 static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
-                    AVDictionary *opts, AVDictionary *opts2, int *is_http_out)
+                    AVDictionary **opts, AVDictionary *opts2, int *is_http_out)
 {
     HLSContext *c = s->priv_data;
     AVDictionary *tmp = NULL;
@@ -664,7 +664,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
     else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5))
         return AVERROR_INVALIDDATA;
 
-    av_dict_copy(&tmp, opts, 0);
+    av_dict_copy(&tmp, *opts, 0);
     av_dict_copy(&tmp, opts2, 0);
 
     if (is_http && c->http_persistent && *pb) {
@@ -690,7 +690,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
             av_opt_get(*pb, "cookies", AV_OPT_SEARCH_CHILDREN, (uint8_t**)&new_cookies);
 
         if (new_cookies)
-            av_dict_set(&opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL);
+            av_dict_set(opts, "cookies", new_cookies, AV_DICT_DONT_STRDUP_VAL);
     }
 
     av_dict_free(&tmp);
@@ -1231,12 +1231,12 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg,
            seg->url, seg->url_offset, pls->index);
 
     if (seg->key_type == KEY_NONE) {
-        ret = open_url(pls->parent, in, seg->url, c->avio_opts, opts, &is_http);
+        ret = open_url(pls->parent, in, seg->url, &c->avio_opts, opts, &is_http);
     } else if (seg->key_type == KEY_AES_128) {
         char iv[33], key[33], url[MAX_URL_SIZE];
         if (strcmp(seg->key, pls->key_url)) {
             AVIOContext *pb = NULL;
-            if (open_url(pls->parent, &pb, seg->key, c->avio_opts, opts, NULL) == 0) {
+            if (open_url(pls->parent, &pb, seg->key, &c->avio_opts, opts, NULL) == 0) {
                 ret = avio_read(pb, pls->key, sizeof(pls->key));
                 if (ret != sizeof(pls->key)) {
                     av_log(pls->parent, AV_LOG_ERROR, "Unable to read key file %s\n",
@@ -1260,7 +1260,7 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg,
         av_dict_set(&opts, "key", key, 0);
         av_dict_set(&opts, "iv", iv, 0);
 
-        ret = open_url(pls->parent, in, url, c->avio_opts, opts, &is_http);
+        ret = open_url(pls->parent, in, url, &c->avio_opts, opts, &is_http);
         if (ret < 0) {
             goto cleanup;
         }