Opened 7 months ago

Closed 7 months ago

#7193 closed defect (needs_more_info)

Double free in libavformat/utils.c

Reported by: timmyyuan Owned by:
Priority: normal Component: avformat
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
at libavformat/utils.c:642, s->internal->id3v2_meta was freed by function av_dict_free in the else-branch.
at libavformat/utils.c:661, if the if-branch condition turns be true then the program goto the fail handler at line 681.
at libavformat/utils.c:686, avformat_free_context(s) will be called in the fail handler.
at libavformat/utils.c:4414, s->internal->id3v2_meta will be double freed by av_dict_free in function avformat_free_context

Change History (3)

comment:1 follow-up: Changed 7 months ago by cehoyos

  • Keywords double free removed

How can I reproduce this issue?

comment:2 in reply to: ↑ 1 Changed 7 months ago by timmyyuan

Replying to cehoyos:

How can I reproduce this issue?

we found this flaw by a static analyzer. To trigger the double frees at line 682 ( id3v2_extra_meta, first freed at 659) or line 686 (id3v2_meta, first freed at 642), malloc error and memory corruption (corrupt size of AVPacket to be negative or very large number) can make the if-branchs goto the fail handler. And as a result, it will lead to double free to all applications calling avformat_open_input.

// file ffmpeg/libavformat/utils.c
...
537 int avformat_open_input(AVFormatContext **ps, const char *filename,
538                         AVInputFormat *fmt, AVDictionary **options)
539 {
...
642         av_dict_free(&s->internal->id3v2_meta);
643         if (s->error_recognition & AV_EF_EXPLODE)
644             return AVERROR_INVALIDDATA;
645     }
...
650             if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0)
651                 goto fail;
652             if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta)) < 0)
653                 goto fail;
654             if ((ret = ff_id3v2_parse_priv(s, &id3v2_extra_meta)) < 0)
655                 goto fail;
...
659     ff_id3v2_free_extra_meta(&id3v2_extra_meta);
660 
661     if ((ret = avformat_queue_attached_pictures(s)) < 0)
662         goto fail;
...
681 fail:
682     ff_id3v2_free_extra_meta(&id3v2_extra_meta);
683     av_dict_free(&tmp);
684     if (s->pb && !(s->flags & AVFMT_FLAG_CUSTOM_IO))
685         avio_closep(&s->pb);
686     avformat_free_context(s);
687     *ps = NULL;
688     return ret;
689 }
...

comment:3 Changed 7 months ago by cehoyos

  • Resolution set to needs_more_info
  • Status changed from new to closed

Please provide a sample that allows to reproduce the issue or send a patch - made with git format-patch - that allows to fix the issue you see to the FFmpeg development mailing list.

Note: See TracTickets for help on using tickets.