From patchwork Sun Feb 18 15:10:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 46350 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:dda5:b0:19e:cdac:8cce with SMTP id kw37csp799856pzb; Sun, 18 Feb 2024 07:08:29 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXUyj6wTbSuCpxclvVOEecbWWTpAOJ2ItkJqneL0AnHRPprCfnFFxSBxGxwS1WS6nvkkw9vFPsv8rIGojITXnOFhCsmGJXMz1tGJQ== X-Google-Smtp-Source: AGHT+IG38qhHyqhBOGIOxyjZ1Da71FcslAnZWhaxNif411k7emlg08rT7vWeiCy+QPooudzF3/ze X-Received: by 2002:a05:6512:74a:b0:512:aa3e:de6 with SMTP id c10-20020a056512074a00b00512aa3e0de6mr1414442lfs.67.1708268909532; Sun, 18 Feb 2024 07:08:29 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id i20-20020a50d754000000b005638b1323ddsi1743265edj.73.2024.02.18.07.08.28; Sun, 18 Feb 2024 07:08:29 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=CEthQqLK; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2B77168D32B; Sun, 18 Feb 2024 17:08:25 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04olkn2109.outbound.protection.outlook.com [40.92.75.109]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5E6F968D2D0 for ; Sun, 18 Feb 2024 17:08:18 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XqzPaqRh7+UL+kthgqo/UuQ7eodV3MwFIdpfLPjVxvk83l9HXSwz413Du82e1VoNZHJbJTHXtF8aAk6XKwzV85JuPzXjFfzbMaTGI8imRZKIvWAb591UMB5/KyFqRAjO7/LWm1IJepPSiuxBmQSfcrlYImHjhVYAwAerffT7ZURYBM9FzaCXKLU/gwvENy7oO5ZFChzHOP8PyqIZuYZvc2MN9ydTdWAYcfiax9jGPyF4fOEcf/mjEFCbYnCc/ptj1SsqDn1IfAzbnB7+XIpFvqiWhTXU1PV3bq5NiSznlCc2u8X4UxtNvNda+ZNhRqhV6mgtYqvcuxmbVr+2zDggnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Re1jkAhsjAUVNENT5DJfVil8xVBQgoA5CrfYYq4yTYE=; b=NBg1WDwKtgqX6sC03xc/gblu2IxPDsY7iBpQhaVmkR48CWBSv4VpoVx4ujiROq+hzgMrtTVQLXSjX9XlK4zDTNz4MYGuhhquPuw5fRDY9Y+RRyHjx+ZqnQz8fM+PpJ1N/ReOr64K4U/bGfIFTIoMuS2za0Bq287EnbH0bYXWJbzvcCBsp4vvrHDa3ZzIDq7X2BvWInIwocSnCypse7vN1ANLaUXtXTQpxS5hKxhNv6q4pIcRmAgM4ejBYuWKF4WAwUdicSpuxBqD0IVLCKSQ4llVz9xTUevPC0ipegDlpiR2hwFfgvfxaiAC1ohpL2sQDYxa0AU58UsBKxS2jU4F3A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Re1jkAhsjAUVNENT5DJfVil8xVBQgoA5CrfYYq4yTYE=; b=CEthQqLKIv7alrs+k1IbljR8tRqelxxUPhsTQ38g7/rLshmXo+9r1a3tfQC3gtreAYLw46GeNTyiEY1CaxVC1lkVn20WHO10an+4Ch+cjuyKjI6Bi5+xhnPrKv/KqzgdTodEAy22YdBqavWvWez0LKy8wD3cR2/ozldr/QDMCaT1kd49xVhnPVcrOHciBaJpSk8OKJd6i3VJbKFYTHne+Lnr9sewCuWn+qrXB402FtW1gWsHMCNCLV5d66OSAKfNlt6KzFnMDH/slgmCvh91L4CKiyVP/ASVEUoOrJpjI3ruGqb+bwXoqxq/XvAl4iEMNcnSgJkFWGXSfAD0l/IAog== Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) by AM8P250MB0073.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:36c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.37; Sun, 18 Feb 2024 15:08:16 +0000 Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::65aa:deb0:a18e:d48d]) by AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::65aa:deb0:a18e:d48d%5]) with mapi id 15.20.7292.033; Sun, 18 Feb 2024 15:08:16 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 18 Feb 2024 16:10:06 +0100 Message-ID: X-Mailer: git-send-email 2.34.1 X-TMN: [lr8pDDK8yqFZEabl+LQQ49yHIhxj/Hz6xbN+nulS2Sg=] X-ClientProxiedBy: FR3P281CA0170.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a0::18) To AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) X-Microsoft-Original-Message-ID: <20240218151007.3971609-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P250MB0744:EE_|AM8P250MB0073:EE_ X-MS-Office365-Filtering-Correlation-Id: b843247b-3d78-4c51-66fd-08dc30936f36 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bc7fIGLCVH6b5m9MgB4YWe3SqZRz+WaIvE8hDVWwiybzcEikmmomhn6tUJS/1u606hfuoKkNpmMa9mYFkeJQbvLHTvTo7IrPsN0KAUt25gYEH+owU/oewhk+eCMQ/pIAiH/M14FJBpHSQccMmaTsR5ez/eBqPCIQ1yuCumj8K5dClvx6MbQ5frjwE0P4WecPDytmgDlZp/lyH/ADl/RKpZ1/ulXCk2Vu4bmCGnmpI5amFObRxBKyF34Pte2Z6Ndwwl8KL/RxtkRe0LpYQ8Ang7tgoCknSpWCOk9JK5G5VZeTwfpd5jkldTasuOvDTbiJFPVnfsaXdoSUE76GkzO7Xq50x0KVeVjFIqPacjF2c8S9sLOa11RFSJK/9FqQ4aXZsaJuxGAkUpYylLvI07KCTWscA7G3CmrthkvSkcI021hehjPiJXOO/7PIhruGHAHvWd/b/y0koEGgjhUSmBiDRZu1UdazK/V2IARm/4UWdwoLGVvlj9IbSw+irzW0bLNgLPKiibs5Br3tu47n9ZKRKh1f+UHtWkSFTlsqvvHl9CoCiEGbHqZw+fk+T8C/R7BmaGcx2jOU92sin7EjIXSZcwMlSscLmxhIUD1sfgtlkTzWM/QUZd2qAgUS9ORb+AAx X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: SF0u59LR29pD3jGivZzOAzSx5X6DROwDZFSZSaFYfSF7EQr8KJRLwPh54vLbFAcSeLG7xDX/e7sF+R48LFvvKJHmjGZqlzoJioJPR2SHjEFzH2XEc7Ow28uFLP0p2x+jqQ7//dUT3+KEPX2bOsCxUPg+Ts6CCTTD8+RVG0uilAwN10VI/U6jDnWtTdAhSkE8OhbFCeEYEDMaJPu4rQI/mBSBY5GTB9BqK7Gce0TV6clGyl+dwd7uw4yYvaJgIseZ3oDFFHFfwe3K6MFFbLgrSRR6cQtKgNEXbfj54PCDXAqAhiPciO97SLIQvTESUb3QQlVsQUyN8k57kp3+x8ym1BBYeA+3rI6pTiWOGYxaFbxW7+MKFqV+xaaJJ7pNmYCt5vBcvm/J7fc3PtqZBZuCjzJDnc6jrrJk8wp80akAjb+xhsWwv8s7ZkpG6uyQGTbuzf8xlUiM9H/RNhNCrNaT7qJuq6yTt9OAQZmbWGG+VDTP9LTwrGKq+cNjkRVJ7nI1mBIqy8TBrVVu2wlW5lHrxAG7KdKxUzfOPru3wOiB7sqqNt7wulOGO01ezB4WZXqrm9FIdurADwo9OtNFNgC6EthQ9lNueiyDnhKN59jzkaFpD2TZNoBwHQqERHAWHYyimFlkibzCjh7GtoCFX9dmGH269oq0HcCaCGu4n3hQJHZgMulcd0FuIRnUvZs/ULM8rKAKuiEu/f7dEjYluOTvrGpoHxmmKSR5g2Oq1G7AhWuoXMDfm6y0qLUGNAjznFUb8mbdsYXdPtRs1RzMLrBw+rHO0I2RvZjG8xEmq1Z07RhIxUqUR6gNS8QJwU8Tx8WGSAbapkih3MBM7j75a7Zrocyha7Oil9FRi3P/UKhWACB26K1caciVoRI6fMGUSQlarY5tZX0BY1hlAa0V3k1tWe28Sn5x+911s/7zEpiDCR89JgqND2r1JvOYX6T1Rp8TsRqiKxsN7KpSAKXQFsOX2SBdDD9VH6vuriKwmBI2tvkEAfSlfJPRWpK79hFGd21ko5lHAg9wQbSCFPgFNM1I2zG4CvbpHFhTYg+KH0aIeZ7CIC7tgtl+GVdH8WQlbtIJrUOaoi/m+aPCqFWelP/escETBNeo4L3Cvz1NBfcy3KxFMRwV+pVc0YZ8gayRTfBVo7lRQ6qKyj3TxIH2HcAhFOUHHUdwiEBsgji2E2iApyyiFkIfH8nDoUonF8saK6E6vW//NYEhw4BO+0lUjqTUAp7xnObnjlE3R6ptdGCB/9arkw9hIiIudGmhlOymu0bkzLKTD25iAl1qYiIfjunH6g== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b843247b-3d78-4c51-66fd-08dc30936f36 X-MS-Exchange-CrossTenant-AuthSource: AS8P250MB0744.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2024 15:08:16.5924 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P250MB0073 Subject: [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: EYGkcRabbs57 The filename is freed with the OptionsContext and therefore there will be a use-after-free when reporting the filename in print_stream_maps(). So create a copy of the string. This is a regression since 8aed3911fc454e79697e183660bf30d31334a64b. fate-lavf-mkv_attachment exhibits it (and reports a random nonsense filename here), but this does not make the test fail (not even with valgrind; only with ASAN, as it aborts on use-after-free). Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg.h | 2 +- fftools/ffmpeg_mux.c | 2 ++ fftools/ffmpeg_mux_init.c | 10 +++++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h index 33750e0bb3..c394f60962 100644 --- a/fftools/ffmpeg.h +++ b/fftools/ffmpeg.h @@ -555,7 +555,7 @@ typedef struct OutputStream { AVDictionary *swr_opts; char *apad; - const char *attachment_filename; + char *attachment_filename; int keep_pix_fmt; diff --git a/fftools/ffmpeg_mux.c b/fftools/ffmpeg_mux.c index e65fe89992..5a648c0568 100644 --- a/fftools/ffmpeg_mux.c +++ b/fftools/ffmpeg_mux.c @@ -817,6 +817,8 @@ static void ost_free(OutputStream **post) av_freep(&ost->logfile_prefix); av_freep(&ost->apad); + av_freep(&ost->attachment_filename); + #if FFMPEG_OPT_MAP_CHANNEL av_freep(&ost->audio_channels_map); ost->audio_channels_mapped = 0; diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c index 0718487c53..1abbb2d945 100644 --- a/fftools/ffmpeg_mux_init.c +++ b/fftools/ffmpeg_mux_init.c @@ -1741,6 +1741,7 @@ static int of_add_attachments(Muxer *mux, const OptionsContext *o) for (int i = 0; i < o->nb_attachments; i++) { AVIOContext *pb; uint8_t *attachment; + char *attachment_filename; const char *p; int64_t len; @@ -1788,13 +1789,20 @@ read_fail: av_log(mux, AV_LOG_VERBOSE, "Creating attachment stream from file %s\n", o->attachments[i]); + attachment_filename = av_strdup(o->attachments[i]); + if (!attachment_filename) { + av_free(attachment); + return AVERROR(ENOMEM); + } + err = ost_add(mux, o, AVMEDIA_TYPE_ATTACHMENT, NULL, NULL, &ost); if (err < 0) { + av_free(attachment_filename); av_freep(&attachment); return err; } - ost->attachment_filename = o->attachments[i]; + ost->attachment_filename = attachment_filename; ost->par_in->extradata = attachment; ost->par_in->extradata_size = len;