From patchwork Mon Feb 15 14:25:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 25634 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0C41844B4E1 for ; Mon, 15 Feb 2021 16:53:15 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E3DCF6809CD; Mon, 15 Feb 2021 16:53:14 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 15AEC68052A for ; Mon, 15 Feb 2021 16:53:08 +0200 (EET) Received: by mail-lf1-f45.google.com with SMTP id h26so10676938lfm.1 for ; Mon, 15 Feb 2021 06:53:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:reply-to:mime-version :content-transfer-encoding; bh=LpAXEE5+kbAYRyT6m91Bm/99qFfBdz1RAtbHRTUuVr4=; b=XXW7Z69J2Bx7vjDm+sfDNf/o3MeUf5LTQa/pagkjZJorzGK6F7HX1em80YP6FnpZkE 2GWmb3nGXuQLI9+cZs4/JEb6B/3pdvXjybAvSD1kErhDSiG92UfdBTHSO/tzazL5jPaU palvt2ewFVLFS2g/ANjke/vhPOXIkG6tV+uV8s7BlElIv78tAg0zOW6Ybz3h+4+xFooI /s4A52bPhViv4z80leBuieuNhFez4+a/fO3U8ZH0opZ1RtDdyxC0j5XQfHncHbzJqmhL eozJCcEDFW1ycR/r6fPviTMfGxHeYbEMQzgo3MC9h89wSRGKnxHb/ot1zHfdSifrEupu Q6Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :mime-version:content-transfer-encoding; bh=LpAXEE5+kbAYRyT6m91Bm/99qFfBdz1RAtbHRTUuVr4=; b=Hk+5G9TTa9hWxZzh3vW0J8NX+2nm3J1CDnMDg57wyEKSFAmGXN9c9JkkZOTP/uzsF2 6oMdFa4LTCzCGSbl6R9sWlzhqBTN2s21RQa1FkVpGVSoIpP9GDn4Cg/gyYoRwX80hO+5 omi3k8Xvnlzd95uPZqg5wKw1K6NmrAUE0th6g08RJyX31prKDX+GKsdSJNdWR/wdL6di zBXoroIicqdGpE7RlRe69pPQNNzpy0CJlMgGdKIy/AptlhVCc895A5lkr/ueRPEAkb/m CP0sIR6qMTx8PMrcTw6YbJR+z72rhNrGN8ywcaspv4JgRS6S/qCWyI86zrKrOy7HbA0Q uvTA== X-Gm-Message-State: AOAM531p84QpolYB7dBd+oGPHuoELCyZBgCaAGLj/IpIo+saU4LdIds+ UfoI0L0fjFIyPLZ4mWJJABFFwAx0OTs= X-Google-Smtp-Source: ABdhPJw/6VshcAcRX6+/SeFe9khoQDI7VuQe+2/9aJmW63YiAYqF4d3LugDqhnyoHoRdbXuBk2HTSA== X-Received: by 2002:a17:907:2659:: with SMTP id ar25mr6113634ejc.387.1613399114282; Mon, 15 Feb 2021 06:25:14 -0800 (PST) Received: from sblaptop.fritz.box (ipbcc1aa4b.dynamic.kabel-deutschland.de. [188.193.170.75]) by smtp.gmail.com with ESMTPSA id y20sm9826604edc.84.2021.02.15.06.25.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Feb 2021 06:25:13 -0800 (PST) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 15 Feb 2021 15:25:02 +0100 Message-Id: <20210215142505.514125-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/4] avformat/mpegenc: Ensure packet queue stays valid X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The MPEG-PS muxer uses a custom queue of custom packets. To keep track of it, it has a pointer (named predecode_packet) to the head of the queue and a pointer to where the next packet is to be added (it points to the next-pointer of the last element of the queue); furthermore, there is also a pointer that points into the queue (called premux_packet). The exact behaviour was as follows: If premux_packet was NULL when a packet is received, it is taken to mean that the old queue is empty and a new queue is started. premux_packet will point to the head of said queue and the next_packet-pointer points to its next pointer. If predecode_packet is NULL, it will also made to point to the newly allocated element. But if premux_packet is NULL and predecode_packet is not, then there will be two queues with head elements premux_packet and predecode_packet. Yet only elements reachable from predecode_packet are ever freed, so the premux_packet queue leaks. Worse yet, when the predecode_packet queue will be eventually exhausted, predecode_packet will be made to point into the other queue and when predecode_packet will be freed, the next pointer of the preceding element of the queue will still point to the element just freed. This element might very well be still reachable from premux_packet which leads to use-after-frees lateron. This happened in the tickets mentioned below. Fix this by never creating two queues in the first place by checking for predecode_packet to know whether the queue is empty. If premux_packet is NULL, then it is set to the newly allocated element of the queue. Fixes tickets #6887, #8188 and #8266. Signed-off-by: Andreas Rheinhardt --- Disclaimer: I don't know MPEG program streams very well; it might very well be that the mere fact that premux_packet can be NULL while predecode_packet isn't is indicative of a deeper bug. All I know is that this patch only changes behaviour in case the old behaviour was broken (i.e. led to leaks or use-after-frees). libavformat/mpegenc.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 9bd0a555d4..810dd717ca 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -48,9 +48,9 @@ typedef struct StreamInfo { uint8_t id; int max_buffer_size; /* in bytes */ int buffer_index; - PacketDesc *predecode_packet; + PacketDesc *predecode_packet; /* start of packet queue */ + PacketDesc *last_packet; /* end of packet queue */ PacketDesc *premux_packet; - PacketDesc **next_packet; int packet_number; uint8_t lpcm_header[3]; int lpcm_align; @@ -986,6 +986,8 @@ static int remove_decoded_packets(AVFormatContext *ctx, int64_t scr) } stream->buffer_index -= pkt_desc->size; stream->predecode_packet = pkt_desc->next; + if (!stream->predecode_packet) + stream->last_packet = NULL; av_freep(&pkt_desc); } } @@ -1177,12 +1179,16 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) av_log(ctx, AV_LOG_TRACE, "dts:%f pts:%f flags:%d stream:%d nopts:%d\n", dts / 90000.0, pts / 90000.0, pkt->flags, pkt->stream_index, pts != AV_NOPTS_VALUE); - if (!stream->premux_packet) - stream->next_packet = &stream->premux_packet; - *stream->next_packet = pkt_desc = av_mallocz(sizeof(PacketDesc)); if (!pkt_desc) return AVERROR(ENOMEM); + if (!stream->predecode_packet) { + stream->predecode_packet = pkt_desc; + } else + stream->last_packet->next = pkt_desc; + stream->last_packet = pkt_desc; + if (!stream->premux_packet) + stream->premux_packet = pkt_desc; pkt_desc->pts = pts; pkt_desc->dts = dts; @@ -1200,9 +1206,6 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) pkt_desc->unwritten_size = pkt_desc->size = size; - if (!stream->predecode_packet) - stream->predecode_packet = pkt_desc; - stream->next_packet = &pkt_desc->next; if (av_fifo_realloc2(stream->fifo, av_fifo_size(stream->fifo) + size) < 0) return -1;