[FFmpeg-devel] [PATCH 13/21] avfilter/vf_remap: Fix double-free of AVFilterFormats on error
Paul B Mahol
onemda at gmail.com
Wed Aug 19 22:22:49 EEST 2020
On 8/9/20, Andreas Rheinhardt <andreas.rheinhardt at gmail.com> wrote:
> The query_formats function of the remap filter tries to allocate
> two lists of formats which on success are attached to more permanent objects
> (AVFilterLinks) for storage afterwards. If attaching a list to an
> AVFilterLink succeeds, it is in turn owned by the AVFilterLink (or more
> exactly, the AVFilterLink becomes one of the common owners of the list).
> Yet if attaching a list to one of its links succeeds and an error happens
> lateron, both lists were manually freed, which means that is wrong if the
> list is already owned by one or more links; these links' pointers to
> their lists will become dangling and there will be a double-free/use-after-
> free when these links are cleaned up automatically.
>
> This commit fixes this by removing the custom free code; this will
> temporarily add a leaking codepath (if attaching a list not already
> owned by a link to a link fails, the list will leak), but this will
> be fixed soon by making sure that an AVFilterFormats without owner will
> be automatically freed when attaching it to an AVFilterLink fails.
> Notice at most one list leaks because a new list is only allocated
> after the old list has been successfully attached to a link.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---
> libavfilter/vf_remap.c | 24 +++++++-----------------
> 1 file changed, 7 insertions(+), 17 deletions(-)
>
LGTM
More information about the ffmpeg-devel
mailing list