Message ID | 20210826144024.95697-1-cyeaa@connect.ust.hk |
---|---|
State | Accepted |
Commit | 9bbdfbfb32e5ad94a06a4ce2830a655009378684 |
Headers | show |
Series | [FFmpeg-devel,1/2] libavdevice/avfoundation.m: fix protential unreleased lock issue | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
Am 26.08.21 um 16:40 schrieb Chengfeng Ye: > The problem here is that the lock ctx->frame_lock will > become an unreleased lock if the program returns at > line 697, line 735 and line744. > > Cc: cyeaa@connect.ust.hk > Bug tracker link: https://trac.ffmpeg.org/ticket/9385\#ticket > > Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk> > --- > libavdevice/avfoundation.m | 3 +++ > 1 file changed, 3 insertions(+) Pushed, thanks! -Thilo
Hi, Thilo https://patchwork.ffmpeg.org/project/ffmpeg/patch/20210826144024.95697-1-cyeaa@connect.ust.hk/ I hope this email finds you well. I am writing you to discuss whether it is possible to collaboratively apply CVE IDs for these issues. Below is my understanding after eyeballing them for a while: These two bug-located functions are registered as callbacks in the AVInputFormat structure, which means that they can be invoked multiple times. Thus, the unreleased lock problems could result in deadlocks, wreaking a DoS. Moreover, previous CVE also shows that missing lock releases are potential risks for the system, such as these two CVE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340 Looking forward to more interesting discussion. Let me know what I can help you with. Thanks so much, Chengfeng 获取 Outlook for iOS<https://aka.ms/o0ukef>
diff --git a/libavdevice/avfoundation.m b/libavdevice/avfoundation.m index 1d108417be..8ce3d064c5 100644 --- a/libavdevice/avfoundation.m +++ b/libavdevice/avfoundation.m @@ -693,6 +693,7 @@ static int get_audio_config(AVFormatContext *s) const AudioStreamBasicDescription *basic_desc = CMAudioFormatDescriptionGetStreamBasicDescription(format_desc); if (!basic_desc) { + unlock_frames(ctx); av_log(s, AV_LOG_ERROR, "audio format not available\n"); return 1; } @@ -731,6 +732,7 @@ static int get_audio_config(AVFormatContext *s) ctx->audio_packed) { stream->codecpar->codec_id = ctx->audio_be ? AV_CODEC_ID_PCM_S32BE : AV_CODEC_ID_PCM_S32LE; } else { + unlock_frames(ctx); av_log(s, AV_LOG_ERROR, "audio format is not supported\n"); return 1; } @@ -740,6 +742,7 @@ static int get_audio_config(AVFormatContext *s) ctx->audio_buffer_size = CMBlockBufferGetDataLength(block_buffer); ctx->audio_buffer = av_malloc(ctx->audio_buffer_size); if (!ctx->audio_buffer) { + unlock_frames(ctx); av_log(s, AV_LOG_ERROR, "error allocating audio buffer\n"); return 1; }
The problem here is that the lock ctx->frame_lock will become an unreleased lock if the program returns at line 697, line 735 and line744. Cc: cyeaa@connect.ust.hk Bug tracker link: https://trac.ffmpeg.org/ticket/9385\#ticket Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk> --- libavdevice/avfoundation.m | 3 +++ 1 file changed, 3 insertions(+)