Opened 6 years ago

Closed 6 years ago

#6808 closed defect (fixed)

Double free in rtpdec_asf

Reported by: Carl Eugen Hoyos Owned by:
Priority: important Component: avformat
Version: git-master Keywords: rtsp crash abort leak regression
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Testing the url from ticket #6807, I found the following regression since 0cc6dd1b817bc4510714dd99122625d93909290a:

$ valgrind --leak-check=full ./ffmpeg_g -rtsp_transport tcp -i rtsp://121.167.43.161/chosun -f null -
==16010== Memcheck, a memory error detector
==16010== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==16010== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==16010== Command: ./ffmpeg_g -rtsp_transport tcp -i rtsp://121.167.43.161/chosun -f null -
==16010==
ffmpeg version N-88563-gd68a557 Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 6.3.0 (GCC)
  configuration: --enable-gpl
  libavutil      56.  0.100 / 56.  0.100
  libavcodec     58.  1.100 / 58.  1.100
  libavformat    58.  1.100 / 58.  1.100
  libavdevice    58.  0.100 / 58.  0.100
  libavfilter     7.  0.101 /  7.  0.101
  libswscale      5.  0.101 /  5.  0.101
  libswresample   3.  0.101 /  3.  0.101
  libpostproc    55.  0.100 / 55.  0.100
==16010== Invalid free() / delete / delete[] / realloc()
==16010==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16010==    by 0x6F28EE: ff_wms_parse_sdp_a_line (rtpdec_asf.c:147)
==16010==    by 0x703570: ff_sdp_parse (rtsp.c:653)
==16010==    by 0x70A85C: ff_rtsp_setup_input_streams (rtspdec.c:622)
==16010==    by 0x707698: ff_rtsp_connect (rtsp.c:1871)
==16010==    by 0x709DF7: rtsp_read_header (rtspdec.c:726)
==16010==    by 0x737995: avformat_open_input (utils.c:599)
==16010==    by 0x488C9C: open_input_file (ffmpeg_opt.c:1052)
==16010==    by 0x48A4BE: ffmpeg_parse_options (ffmpeg_opt.c:3277)
==16010==    by 0x480306: main (ffmpeg.c:4772)
==16010==  Address 0x7ab4200 is 0 bytes inside a block of size 2,688 free'd
==16010==    at 0x4C29D4E: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16010==    by 0x61E9DB: ffio_ensure_seekback (aviobuf.c:1002)
==16010==    by 0x6580E6: ff_id3v2_read_dict (id3v2.c:1084)
==16010==    by 0x7376CA: avformat_open_input (utils.c:595)
==16010==    by 0x6F289E: ff_wms_parse_sdp_a_line (rtpdec_asf.c:139)
==16010==    by 0x703570: ff_sdp_parse (rtsp.c:653)
==16010==    by 0x70A85C: ff_rtsp_setup_input_streams (rtspdec.c:622)
==16010==    by 0x707698: ff_rtsp_connect (rtsp.c:1871)
==16010==    by 0x709DF7: rtsp_read_header (rtspdec.c:726)
==16010==    by 0x737995: avformat_open_input (utils.c:599)
==16010==    by 0x488C9C: open_input_file (ffmpeg_opt.c:1052)
==16010==    by 0x48A4BE: ffmpeg_parse_options (ffmpeg_opt.c:3277)
==16010==
Guessed Channel Layout for Input Stream #0.0 : stereo
Input #0, rtsp, from 'rtsp://121.167.43.161/chosun':
  Metadata:
    title           : <No Title>
    WMFSDKNeeded    : 0.0.0.0000
    DeviceConformanceTemplate: MP@ML
    WMFSDKVersion   : 9.00.00.4509
    IsVBR           : 0
  Duration: 00:00:00.00, start: 754823.845000, bitrate: N/A
    Stream #0:0: Audio: wmav2 (a[1][0][0] / 0x0161), 48000 Hz, stereo, fltp, 128 kb/s
    Stream #0:1: Video: wmv3 (Main) (WMV3 / 0x33564D57), yuv420p, 480x360, 327 kb/s, 29.97 tbr, 1k tbn, 1k tbc
Stream mapping:
  Stream #0:1 -> #0:0 (wmv3 (native) -> wrapped_avframe (native))
  Stream #0:0 -> #0:1 (wmav2 (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
Output #0, null, to 'pipe:':
  Metadata:
    title           : <No Title>
    WMFSDKNeeded    : 0.0.0.0000
    DeviceConformanceTemplate: MP@ML
    WMFSDKVersion   : 9.00.00.4509
    IsVBR           : 0
    encoder         : Lavf58.1.100
    Stream #0:0: Video: wrapped_avframe, yuv420p, 480x360, q=2-31, 200 kb/s, 29.97 fps, 29.97 tbn, 29.97 tbc
    Metadata:
      encoder         : Lavc58.1.100 wrapped_avframe
    Stream #0:1: Audio: pcm_s16le, 48000 Hz, stereo, s16, 1536 kb/s
    Metadata:
      encoder         : Lavc58.1.100 pcm_s16le
frame=   44 fps= 32 q=-0.0 Lsize=N/A time=00:00:02.46 bitrate=N/A speed=1.78x
video:23kB audio:256kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown
==16010==
==16010== HEAP SUMMARY:
==16010==     in use at exit: 32,818 bytes in 2 blocks
==16010==   total heap usage: 5,927 allocs, 5,926 frees, 14,888,198 bytes allocated
==16010==
==16010== 32,778 bytes in 1 blocks are definitely lost in loss record 2 of 2
==16010==    at 0x4C290FE: memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16010==    by 0x4C291A7: posix_memalign (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16010==    by 0x108E739: av_malloc (mem.c:87)
==16010==    by 0x61E9AA: ffio_ensure_seekback (aviobuf.c:997)
==16010==    by 0x6580E6: ff_id3v2_read_dict (id3v2.c:1084)
==16010==    by 0x7376CA: avformat_open_input (utils.c:595)
==16010==    by 0x6F289E: ff_wms_parse_sdp_a_line (rtpdec_asf.c:139)
==16010==    by 0x703570: ff_sdp_parse (rtsp.c:653)
==16010==    by 0x70A85C: ff_rtsp_setup_input_streams (rtspdec.c:622)
==16010==    by 0x707698: ff_rtsp_connect (rtsp.c:1871)
==16010==    by 0x709DF7: rtsp_read_header (rtspdec.c:726)
==16010==    by 0x737995: avformat_open_input (utils.c:599)
==16010==
==16010== LEAK SUMMARY:
==16010==    definitely lost: 32,778 bytes in 1 blocks
==16010==    indirectly lost: 0 bytes in 0 blocks
==16010==      possibly lost: 0 bytes in 0 blocks
==16010==    still reachable: 40 bytes in 1 blocks
==16010==         suppressed: 0 bytes in 0 blocks
==16010== Reachable blocks (those to which a pointer was found) are not shown.
==16010== To see them, rerun with: --leak-check=full --show-reachable=yes
==16010==
==16010== For counts of detected and suppressed errors, rerun with: -v
==16010== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)

Change History (1)

comment:1 by James, 6 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.