From patchwork Fri Oct 8 07:59:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 30995 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2084:0:0:0:0 with SMTP id a4csp614061ioa; Fri, 8 Oct 2021 00:59:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyf41hSjc5VqBdgfWVHMsfBNjHH/sTo8qtK6nVjoc/QyT0pIJ+QRZe+V/JYwdIw8bfTXYNq X-Received: by 2002:a50:bf4a:: with SMTP id g10mr13368344edk.11.1633679976842; Fri, 08 Oct 2021 00:59:36 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id q6si2109928edj.430.2021.10.08.00.59.34; Fri, 08 Oct 2021 00:59:36 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=L4pJeRiZ; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E79C968A5FC; Fri, 8 Oct 2021 10:59:31 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-oln040092073081.outbound.protection.outlook.com [40.92.73.81]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 571CC68A35C for ; Fri, 8 Oct 2021 10:59:25 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nqYcIcgUS3WtT3lqGxxXM6FkgOmAR6TBw5SAf+TEmdml6Op/+FhEgQHcxZY+JCwl1nPay+X7IH+3miMYgZZ0XlbVSmqYBgXW8LtzLHReaNvO8NoKLfoQ3cb/799iibNL9RoMm8fjI+i8G3ZENVNi5ByoQ7nlzpI5YWah54A8rcuAgWnGFCaC81qxzBt9yp9dmyTS8lpxq/xNBifZRLd5YCkOE2k3G0m/HrrCNexHtA2XMT+tjHs/S72mqxm0O6PyuoW9pNv7r48Xz6DTPFGOUOgacBTIyg3OQ/6y/DPUN7hT5SjqmHO52cDpq60JUE+/zesFWDfPnI0jkj8ExsFltA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=x6QkSvTCgCIhtyI3xb139It9bmC7NHfPWOBIY20RdgY=; b=Ct4LdfONJ16zKjdTjADhKi7CiCjyCYf7IQ/ElvgtcLnhRoapg4I5PSYIzjJM0RB25VpmNpsGR9u1Z3BsTfLphjGRKxrwgZlwcXwQFbGEX+Ujugm2vRoWXPQnnLqNaKJgwkU2zxadN6XuQqLb52aeQLp9xdivx2Kq73QW+Uo74t+q8b88lPl8UzM4gH1i9IdBHnflyJbqqyBGNKT6j1L0N/ukNEk5LwyKY/ITJdhOKrw0TGRTBsVOv+Sx9XKYZIxBN78x/JpkTiTymsKNK89RKkIheENPgsv6/UxoxvUMQ8S5pORWvnNRekrMi6c/vCdcAkp8lnabC7KIP1dp4MMslQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x6QkSvTCgCIhtyI3xb139It9bmC7NHfPWOBIY20RdgY=; b=L4pJeRiZTGtSNQwyJTASwLx50g1SBqIlCRXqjoCWRcTG/7dWDkjyCarI9EnuAUGxi/M1pkqRSLxOUqS+4B+it+4rS9hxPvQK7BUzuqBloSdiT7QNTdeR/aBxMOu9Heh350+0VRdycP+ZBjovP9MeTbf5J/C3cS/RzauTED/ZAYuc2mI6xHDL1ZfsEg04XlQYEXIBX1l983mLELLVIznQQPdi0ca0c/fwZnvk4B8wRpfuCmeUEGiDwiBqpkWfh78XHyHKvuJEi+UOPpkOY8V1NQttKdYmMyyJJh3Ap56ZU16zQO/h5JjjPiYJppfXxdx4paZRhb2p6nyRwE0teYiCdg== Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) by AM5PR0301MB2356.eurprd03.prod.outlook.com (2603:10a6:203:6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Fri, 8 Oct 2021 07:59:24 +0000 Received: from AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::700f:d70b:3bb8:4d51]) by AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::700f:d70b:3bb8:4d51%7]) with mapi id 15.20.4566.022; Fri, 8 Oct 2021 07:59:24 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Fri, 8 Oct 2021 09:59:11 +0200 Message-ID: X-Mailer: git-send-email 2.30.2 X-TMN: [0zpBJpfc0e/rxO4CPly2bsYCGVCGa2/E] X-ClientProxiedBy: AM3PR05CA0086.eurprd05.prod.outlook.com (2603:10a6:207:1::12) To AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) X-Microsoft-Original-Message-ID: <20211008075914.1140150-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.193.170.49) by AM3PR05CA0086.eurprd05.prod.outlook.com (2603:10a6:207:1::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18 via Frontend Transport; Fri, 8 Oct 2021 07:59:23 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f50e79fd-eaa8-49df-9508-08d98a318aee X-MS-Exchange-SLBlob-MailProps: H+eYzHeSLUsN3zbmk9isWJtNwfwfPvHl0maban2UMBOIBiKkDHzxZkzfv1lbPltY8XtMdQ51SDr5v4snVCVqPSSwg4y4Yo1pK+CDAPMkcKuXVUlV81qmqfsftYxdBQv2QbbbPY8lQZGajCw4aFrglSRFp+dwA4Wal7/lF8vq8TfNLNvsk7okz8LUyFcG/UL2HpTTGqCxnY5pW5a5qEyS7pIx+f3yDh4X3lTGee6D+zSlnCN0L8T86SDkxG9W6HxgBf9dTxwmji8gynZLdD4lv/QObNc7+GhPxhSSYyG3sQ14Y9pTwnJ2/hVwAyfYFKEpggX9T1jn6YpCf/EuYApo3qP+M9QkeBvNqmWWo1QjLFPBgrRBX5tUhABLkQZo1UYeCMqa79dsDUfCBPyGJZ5BZjJVW8EhducGBur0f/Vxlvi/vtJZhawVoHW+xC2gX4nQHDliV3xlIFtd3edMgiIO7qCroYopTylAeotrHYEaF5khYGNKOieAYUpY5UGedaVoDXnJ+N6loloOXaRWjL002jtEB83CmQ+KYIljBB8lqGzTd727k/tg0ofbOqPKCVyfw4dMiRlDFq+f7+kqyp/ya40WNjZxrrgAyUQxgtYYsiX0PmlJfa88sM9bp8eIVuFxexvXSmapSHxLe3m84KzXdWgJEmAkdt7j3jQwtTX1PsEydg2qGf7Lrf4HACMVz+lbgYVJqndVCUxFF/ES5woZmgxMybeeOhW7t0FYThnZ420bX2hfDlTFJA== X-MS-TrafficTypeDiagnostic: AM5PR0301MB2356: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Ntv8bgSScNNhw1J3TUvok4Mc7kY26UdAHzfhWPGIIG5UWfICgVM+R0pA/gDoRtKCFxbbmKegNyno5QTfv0v4OI2l0YLg41AyUknJJQzVpJGUsqWaDsEq2dDHFBOhoUQ+Ao8F2YO7C5oKK5cEllBHghkDipI+8yIFbsOUKk9yK28KrQKx27H3IVpwfvoMsL6sTkbPZBM/VUFSRSm65B4MQNwdzGndHpkaOioxpgh19uYAUk9QGNGLVilE/ldXn+C7n9+vLmjwLqGAlJXFBt6uLyHiC2dAk7aHDfasfUT9MacJwXH6rwgZWP2JrGQE6xZp+IxyvI1pChCZTmW7pqTgCeRHCcMDfNm+pn831h5IODHr1r4mwoI4DzHjKJ98lR35PurmVpghn6y9tvBguk4W8jvf2jM/BHMR55+rZNDq7zB6/ancW7NDa7tYcTIQHXtb X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: gnHFDF5ZcARK/J1GzDSG78rMUW7gnq8tU4vD5ypJTbq6lHL5/Y2yG5Xq32ib/ne6a92T43dUy94zHEZ+qFp/HB6ajYXDonMsj9O+o1dWV7OkAH3Ax7iElf7ZHa3IxQ1z8L+LCEGHjoM+0eWI0kgTJw== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f50e79fd-eaa8-49df-9508-08d98a318aee X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Oct 2021 07:59:24.1992 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0301MB2356 Subject: [FFmpeg-devel] [PATCH 1/4] avfilter/avfiltergraph: Fix use-after-free when inserting auto-converter X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Paul B Mahol , Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 2zC9g6PvgIdH When inserting an auto-resampler, it may be that the configuration of the filters that the auto-resampler is supposed to connect is already partially merged, i.e. converter->inputs[0].incfg.foo and converter->outputs[0].outcfg.foo (where foo is one of formats, samplerates, channel_layouts) can coincide. Therefore merging the converter filter's input link might modify the outcfg of the converter' outlink. Yet the current code in avfiltergraph.c used pointers from before merging the inlink for merging the outlink, leading to a use-after-free in command lines like: $ ffmpeg -f lavfi -i anullsrc=cl=stereo -lavfi channelsplit,axcorrelate -f null - Fix this by not using outdated values when merging the outlink. This is a regression since 85a6404d7e6c759ddf71d6374812d7ff719728ec. Found-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt --- libavfilter/avfiltergraph.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index e536abef8e..0e3de3cd56 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -520,14 +520,13 @@ static int query_formats(AVFilterGraph *graph, void *log_ctx) av_assert0(outlink-> incfg.channel_layouts->refcount > 0); av_assert0(outlink->outcfg.channel_layouts->refcount > 0); } +#define MERGE(merger, link) \ + ((merger)->merge(FF_FIELD_AT(void *, (merger)->offset, link->incfg), \ + FF_FIELD_AT(void *, (merger)->offset, link->outcfg))) for (neg_step = 0; neg_step < neg->nb_mergers; neg_step++) { const AVFilterFormatsMerger *m = &neg->mergers[neg_step]; - void *ia = FF_FIELD_AT(void *, m->offset, inlink->incfg); - void *ib = FF_FIELD_AT(void *, m->offset, inlink->outcfg); - void *oa = FF_FIELD_AT(void *, m->offset, outlink->incfg); - void *ob = FF_FIELD_AT(void *, m->offset, outlink->outcfg); - if ((ret = m->merge(ia, ib)) <= 0 || - (ret = m->merge(oa, ob)) <= 0) { + if ((ret = MERGE(m, inlink)) <= 0 || + (ret = MERGE(m, outlink)) <= 0) { if (ret < 0) return ret; av_log(log_ctx, AV_LOG_ERROR,