Opened 11 years ago
Closed 11 years ago
#3171 closed defect (invalid)
avio_close() misuses AVIOContext.opaque field
Reported by: | Andrew Church | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | avformat |
Version: | git-master | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
(Note: the following is true as of git e78d038187)
In avio.h, the AVIOContext.opaque field is documented as "A private pointer, passed to the read/write/seek/... functions", and avio_alloc_context() takes an "opaque" parameter which is similarly documented "An opaque pointer to user-specific data" and stored directly into the created structure's opaque field. However, avio_close() treats that field as a URLContext pointer:
int avio_close(AVIOContext *s)
{
URLContext *h;
...
h = s->opaque;
...
return ffurl_close(h);
}
If a user-created AVIOContext makes use of the opaque field as documented, avio_close() may crash, inappropriately free memory, etc. when it interprets the user's opaque data as a URLContext structure.
Change History (2)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
This function can only be used if s was opened by avio_open().
Therefore, avio_close()
should not be called on an user-created AVIOContext that makes use of the opaque field.
Never mind, apparently I was misusing av_close() (maybe leftover code from an old libavformat version?). Please ignore/close this bug.