[FFmpeg-devel] [PATCH 1/2] libavdevice/avfoundation.m: fix protential unreleased lock issue

Sat Oct 2 06:01:22 EEST 2021

Hi, Thilo

https://patchwork.ffmpeg.org/project/ffmpeg/patch/20210826144024.95697-1-cyeaa@connect.ust.hk/

I hope this email finds you well. I am writing you to discuss whether it is possible to collaboratively apply CVE IDs for these issues.

Below is my understanding after eyeballing them for a while:

These two bug-located functions are registered as callbacks in the AVInputFormat structure, which means that they can be invoked multiple times. Thus, the unreleased lock problems could result in deadlocks, wreaking a DoS.

Moreover, previous CVE also shows that missing lock releases are potential risks for the system, such as these two CVE.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340

Looking forward to more interesting discussion. Let me know what I can help you with.

Thanks so much,
Chengfeng

获取 Outlook for iOS<https://aka.ms/o0ukef>
________________________________
发件人: ffmpeg-devel <ffmpeg-devel-bounces at ffmpeg.org> 代表 Thilo Borgmann <thilo.borgmann at mail.de>
发送时间: Friday, September 17, 2021 9:32:39 PM
收件人: ffmpeg-devel at ffmpeg.org <ffmpeg-devel at ffmpeg.org>
主题: Re: [FFmpeg-devel] [PATCH 1/2] libavdevice/avfoundation.m: fix protential unreleased lock issue

Am 26.08.21 um 16:40 schrieb Chengfeng Ye:
> The problem here is that the lock ctx->frame_lock will
> become an unreleased lock if the program returns at
> line 697, line 735 and line744.
>
> Cc: cyeaa at connect.ust.hk
> Bug tracker link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.ffmpeg.org%2Fticket%2F9385%2F%23ticket&data=04%7C01%7Ccyeaa%40connect.ust.hk%7C410d533d51004a8b100b08d979dfa7c1%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C637674823770955787%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OgH7jfZNs1oettfBusfZpTx3maIGFcImvVJfpjGhkPQ%3D&reserved=0
>
> Signed-off-by: Chengfeng Ye <cyeaa at connect.ust.hk>
> ---
>  libavdevice/avfoundation.m | 3 +++
>  1 file changed, 3 insertions(+)

Pushed, thanks!

-Thilo
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel at ffmpeg.org
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmpeg-devel&data=04%7C01%7Ccyeaa%40connect.ust.hk%7C410d533d51004a8b100b08d979dfa7c1%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C637674823770955787%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AD7wj9MQmb%2BbgnAsM0REWmlM2Y%2BzPYEoRLV95CgZZSw%3D&reserved=0

To unsubscribe, visit link above, or email
ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".