From patchwork Mon Aug 10 12:50:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 21581 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id B4DBF44AE98 for ; Mon, 10 Aug 2020 15:51:05 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8A1B168AA6F; Mon, 10 Aug 2020 15:51:05 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com [209.85.218.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9C538689F05 for ; Mon, 10 Aug 2020 15:50:58 +0300 (EEST) Received: by mail-ej1-f68.google.com with SMTP id g19so9211948ejc.9 for ; Mon, 10 Aug 2020 05:50:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TfjjD9l/B4b609QsB6D81w4G6FE4lIKqsR44NQncY8Q=; b=WebhqaN9khW3oVI8djQXuQNG1lszYlEHSrX/wdb4fMwMIzfpwWWrrSn2f2flOO5T1J 26cP0WZw9vNuwiFTEv9MOKb3/yVdK6gp/4oSA5LHewmygi9VpU1wrjS9RQWhTKzwxAJ+ jmkLGjYlS2oMAMyA4hdstHItYCqtHq0Ig4nvx/KZTteVylFE++MOGGyDoHz0rod0v+FL +cDUdgp4eQrogu088kAN7RveLYUGIN1HirO8GHXrcTtMenASZMf84X3KoJVTBnBjo1Oz cIWKTchHUk32hPg3LDtp+ScvgX+MTwd9iSX0KU3FEj4J90g3ig7hpECGqoW24rh2ye7z c9tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TfjjD9l/B4b609QsB6D81w4G6FE4lIKqsR44NQncY8Q=; b=nuBArBmYRRPxW+Wbi1EJ6i2a1IpiWfmCCVLiUR37pLi3lg87u1uQUT6ZDWpd4RVyAp rKNXaHUISLbpMN8vvd+ne8PxE22clak3NG/GsEp5otgezB2M7XfzbwsSkLpKfqTomEzO kT4lHursIfjblr3YMrDYiicxn0W+jW10Qz7YKTuQrjMBeYEMr2EMS2NRVyHZlhOoMlJr qgMinj3EUq01is2tJGChs6LsJLKYgmqfF80janNa6YVUyavvzwXubx5b0NAh8tOPoTgG pjVD4tK4JcYkmf6vWoKAWeLu7BguA0sWHua19/xjg3+f4Aju3xpXVosAVZDqYMwxSBcd vVKg== X-Gm-Message-State: AOAM532K2AoR00G1PZJ8xLgDl+HTXLetqHwesyEFWKMr4f7Qw0Khlf4m V1xMvcF0A1ctO/DEoLAOaHlS3ZzS X-Google-Smtp-Source: ABdhPJy8rjh/qq1kaRSZKTo8fRrMiki98lUgls5Z+Ui6WTswZlqBTMDgw9Fj5DaLdFHmo5KAEkvkUQ== X-Received: by 2002:a17:906:c1d8:: with SMTP id bw24mr21088454ejb.91.1597063857676; Mon, 10 Aug 2020 05:50:57 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc10296.dynamic.kabel-deutschland.de. [188.193.2.150]) by smtp.gmail.com with ESMTPSA id dk28sm12216772edb.90.2020.08.10.05.50.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Aug 2020 05:50:56 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Mon, 10 Aug 2020 14:50:47 +0200 Message-Id: <20200810125047.3101-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/mpegts: Don't leave context in inconsistent state upon error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Up until now, opening a section filter works as follows: A filter is opened and (on success) attached to the MpegTSContext. Then a buffer for said filter is allocated and upon success attached to the section filter; on error, the filter is simply freed without removing it from the MpegTSContext, leaving the latter in an inconsistent state. This leads to use-after-frees lateron. This commit fixes this by allocating the buffer first; the filter is only opened if the buffer could be successfully allocated. Signed-off-by: Andreas Rheinhardt --- At first I wanted to use a flexible array member for this buffer (do we actually support any compiler that doesn't support flexible array members?), yet for some reason unknown to me a structure containing a flexible array member must not be contained in another structure or union (not even at the end, although it makes sense to do so). GCC gives a warning in pedantic mode for this. libavformat/mpegts.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index c6fd3e1cef..f71f18a57d 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -510,20 +510,22 @@ static MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, { MpegTSFilter *filter; MpegTSSectionFilter *sec; + uint8_t *section_buf = av_mallocz(MAX_SECTION_SIZE); - if (!(filter = mpegts_open_filter(ts, pid, MPEGTS_SECTION))) + if (!section_buf) return NULL; + + if (!(filter = mpegts_open_filter(ts, pid, MPEGTS_SECTION))) { + av_free(section_buf); + return NULL; + } sec = &filter->u.section_filter; sec->section_cb = section_cb; sec->opaque = opaque; - sec->section_buf = av_mallocz(MAX_SECTION_SIZE); + sec->section_buf = section_buf; sec->check_crc = check_crc; sec->last_ver = -1; - if (!sec->section_buf) { - av_free(filter); - return NULL; - } return filter; }