Opened 10 years ago

Closed 10 years ago

#3171 closed defect (invalid)

avio_close() misuses AVIOContext.opaque field

Reported by: Andrew Church Owned by:
Priority: normal Component: avformat
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

(Note: the following is true as of git e78d038187)

In avio.h, the AVIOContext.opaque field is documented as "A private pointer, passed to the read/write/seek/... functions", and avio_alloc_context() takes an "opaque" parameter which is similarly documented "An opaque pointer to user-specific data" and stored directly into the created structure's opaque field. However, avio_close() treats that field as a URLContext pointer:

int avio_close(AVIOContext *s)
{

URLContext *h;
...
h = s->opaque;
...
return ffurl_close(h);

}

If a user-created AVIOContext makes use of the opaque field as documented, avio_close() may crash, inappropriately free memory, etc. when it interprets the user's opaque data as a URLContext structure.

Change History (2)

comment:1 by Andrew Church, 10 years ago

Never mind, apparently I was misusing av_close() (maybe leftover code from an old libavformat version?). Please ignore/close this bug.

comment:2 by Cigaes, 10 years ago

Resolution: invalid
Status: newclosed
This function can only be used if s was opened by avio_open().

Therefore, avio_close() should not be called on an user-created AVIOContext that makes use of the opaque field.

Note: See TracTickets for help on using tickets.