From patchwork Tue May 25 08:01:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhao Zhili X-Patchwork-Id: 27941 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:b214:0:0:0:0:0 with SMTP id b20csp3659463iof; Tue, 25 May 2021 01:02:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzGXecE+m8aOsgyKQJVPX6S+k+Ti/NAGb8RUjXYCSCyakkv77WIEF1Ql7wv+mmC+4P+b6uN X-Received: by 2002:a05:6402:4402:: with SMTP id y2mr16364818eda.55.1621929725834; Tue, 25 May 2021 01:02:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621929725; cv=none; d=google.com; s=arc-20160816; b=eyqdhKpEmP9uV1Pt/Hfx9MpT6KsLtiB8sWaJexiMiHHzGBpw43kjouF9HYNRoAVIed kK5HiQt3D0vCozmaKvdJs/QzvAu8TUGm5TW8fYOImeXc1EiUgQTaWiJR0iLmNviZnEz8 Tnh2ewL6SshWNd+u5RjRvFD/iFqPRSuE1+/zR259o/yyaPesuwTfeh0Za9y0aSAtEXaH 2HbOY9nwa5s62qrsyd/c9iOQenBdTqVtuRwtXp98337dtUMu/RwhFi32i9xS9S7mIVqc uaAN/bj31Cvf3qffGHQ3Cyx0e3jnsdbeXLgqtQu4myBrd6K/nHhIsyrXu3DUUU9PsOI2 W7qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:date:to:from:message-id :dkim-signature:delivered-to; bh=5i4n1sqAzoVWA9H2l0F2zSFWJJbAWviaOKYg7I7mT38=; b=GooJXPWhV80yD+OQHrsreQapiSLvB4k5XC187S5rbEe7BlDBG/HkWtFseaRLZF8iQ4 RXKKKZXGS6kV71AB8grJn2UHA2Sown8Z+V4kXP9A5ZhSjmf8LVgiVNYhstV9YHgbErOD 450bUrfEFYpfSTJFgtOOt4Q5Y0AtiPaJJxJR8QdOyCQ83gLqL/SYaXXlQG7VgTmDUwWh zZpkW7CXZonZsVVlJr4RvdCIlKKvc7B61JG1fMr9xgZBs5PvQK0y5VZP72cq6wv+98S2 k2qO15PDVftAFCDmuT39MJlnuic5nbUe+BkYdlo0HC97W8suyPDuhVcl8cPSper2U2ei 731w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@foxmail.com header.s=s201512 header.b=kQaOfJ9J; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f8si14791470edr.77.2021.05.25.01.02.04; Tue, 25 May 2021 01:02:05 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@foxmail.com header.s=s201512 header.b=kQaOfJ9J; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4E053689CDF; Tue, 25 May 2021 11:02:00 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F04B268996A for ; Tue, 25 May 2021 11:01:53 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1621929710; bh=rpqp6T5ZpSadCaedWlUArUczILstbp8XLycx5bxDVX4=; h=From:To:Cc:Subject:Date; b=kQaOfJ9JGLsbmh8SOdpVDIv7DkKhcvFWG7FzOt4LadcZ4S5ajAGts6JKacmddRDA1 a6tq3M24iDLr6IRYexm9AD6xBcCOFILHZdpjcjKE5C+CjXJHnHLhaqMm9Oj98rKIna MFkwXHlshd20w1OzXxY+cNyXC6Et6Z1imufToo04= Received: from ZHILIZHAO-MB2.tencent.com ([113.108.77.56]) by newxmesmtplogicsvrsza8.qq.com (NewEsmtp) with SMTP id 70946D9; Tue, 25 May 2021 16:01:48 +0800 X-QQ-mid: xmsmtpt1621929708t451snbkf Message-ID: X-QQ-XMAILINFO: NhHA7dEGFJ5efK/V1n1emG7a36OV5bVLHDr0AR1cHBPNZPYJfLzHhthUy2dKKC S6fJ/Yylv3L7XbydfUzd/GKxub8mCB3/VpkfWYsALt+t2IIQzry11/zYecgiA68JOfNaLNfFZVQM Q5mlNs4R4KEvB/Ob5lEoBBq5s24Nj2fNDKp6T+1DNrzB4zE4WehDrIxSo8WYSxdofSqOvqP0+d6B uxGjOtQoijKhr9kh6mH5s3YSTBRth9FRvs5IF874Dr3HWLV0/Lyb+uS0eVm1JoWi0TIgPiEDS27V 9eUZ1NXA54tYXToiIPZ9r+pst9T2HmbSNo3/AJZ8KxARHoRJ7jWdj0KySj3UMAHhkzuQzCcPmSzz JVb4G5VtK02PtjdppT7eDtCT2y/Z7NsmgRy+HALewwu2woj4BmyvQhGv74O7kjyYQ4P6UsIXThib zp9LXFL88+NWpLlb2bPRO8gtVRLqf5uf9sg2aoGPkaT+IRNblO/ImKCEdtsPxfqKwpoSfwAA3g4B EysfwpqAGWDZtFKZ1peRptraMZYyU9DL0fTMD4wrNqTcNgQCXovRI5I0DVxcJEXCe2k2m/7Jvk55 pDv61x90vGf8981s5Sb7t8qs/xZlohH+IdueOxx1Qmii7Zm6pyJXUkl5wqGIqApOO9D57sozP3f4 TLGae162cH2EGZdI/BFNaoC3l3vekMGXZuy73gMkXvKHVjb02Gar2wjiZFqqOSrbdrDZTCbCSPFG RbJ/jsSt9OrLSBm8ys7wR8GJlDkYsGnsFSqoxusnauUrFo4EKbqzjoSmTfYjWQvtIk54lQKAZDlM ayGbDRU/mztt5YNVIhG1LM From: Zhao Zhili To: ffmpeg-devel@ffmpeg.org Date: Tue, 25 May 2021 16:01:48 +0800 X-OQ-MSGID: <20210525080148.42314-1-quinkblack@foxmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/librist: fix logging setting X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Zhao Zhili Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 5TzOjxnkh+oY The librist logging API is confusing. It looks like a per instance setting but saves a copy to global static variable quietly. So there is a potential use-after-free issue with log_cb_arg. librist took zero as invalid file descriptor at first. After the problem was fixed, now it will close the zero file desscriptor. So log_socket must be initialized to -1. See https://code.videolan.org/rist/librist/-/issues/98 --- libavformat/librist.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/libavformat/librist.c b/libavformat/librist.c index 01a3f9c122..46bb71cf87 100644 --- a/libavformat/librist.c +++ b/libavformat/librist.c @@ -24,6 +24,7 @@ #include "libavutil/avassert.h" #include "libavutil/opt.h" #include "libavutil/parseutils.h" +#include "libavutil/thread.h" #include "libavutil/time.h" #include "avformat.h" @@ -99,6 +100,38 @@ static int log_cb(void *arg, enum rist_log_level log_level, const char *msg) return 0; } +static void librist_set_global_log_callback(void) +{ + static struct rist_logging_settings logging_settings = { + .log_level = RIST_LOG_INFO, + .log_cb = log_cb, + .log_cb_arg = NULL, + .log_socket = -1, + .log_stream = NULL, + }; + rist_logging_set_global(&logging_settings); +} + +static int librist_setup_log(RISTContext *s, struct rist_logging_settings *logging_settings) +{ + int ret; + static AVOnce init_static_once = AV_ONCE_INIT; + + if (!logging_settings) + return AVERROR(EINVAL); + + // set global log callback first, otherwise rist_logging_set() will copy + // logging_settings to a global static variable, which can leads to + // use-after-free + ff_thread_once(&init_static_once, librist_set_global_log_callback); + + logging_settings->log_socket = -1; + ret = rist_logging_set(&logging_settings, s->log_level, log_cb, s, NULL, NULL); + if (ret < 0) + return risterr2ret(ret); + return 0; +} + static int librist_close(URLContext *h) { RISTContext *s = h->priv_data; @@ -123,9 +156,9 @@ static int librist_open(URLContext *h, const char *uri, int flags) if ((flags & AVIO_FLAG_READ_WRITE) == AVIO_FLAG_READ_WRITE) return AVERROR(EINVAL); - ret = rist_logging_set(&logging_settings, s->log_level, log_cb, h, NULL, NULL); + ret = librist_setup_log(s, logging_settings); if (ret < 0) - return risterr2ret(ret); + return ret; if (flags & AVIO_FLAG_WRITE) { h->max_packet_size = s->packet_size;