Opened 5 years ago
Closed 5 years ago
#8222 closed defect (fixed)
A potential Use-After-Free bug
| Reported by: | wurongxin | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avfilter |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
How to reproduce:
% ffmpeg -i input ... output ffmpeg version built on ...
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
In the source file libavfilter/af_afftfilt.c, in the function "static int config_input", there is a potential use after free bug. Please see the following code snippet.
At Line 174, the variable arg will be assigned with a substring separated by "|". If inlink->channels is 1, last_expr will point to the same memory location of args.
At Line 185, "args" will be freed, and it indicates that last_expr is also freed.
At Line 192, again "arg" is assigned with the substring of args separated by "|". If "arg" is null, then "last_expr" at Line 194 is used after free.
- for (ch = 0; ch < inlink->channels; ch++) {
- char *arg = av_strtok(ch == 0 ? args : NULL, "|", &saveptr);
175.
- ret = av_expr_parse(&s->real[ch], arg ? arg : last_expr, var_names,
- NULL, NULL, func2_names, func2, 0, ctx);
- if (ret < 0)
- break;
- if (arg)
- last_expr = arg;
- s->nb_exprs++;
- }
184.
- av_free(args);
186.
- args = av_strdup(s->img_str ? s->img_str : s->real_str);
- if (!args)
- return AVERROR(ENOMEM);
190.
- for (ch = 0; ch < inlink->channels; ch++) {
- char *arg = av_strtok(ch == 0 ? args : NULL, "|", &saveptr);
193.
- ret = av_expr_parse(&s->imag[ch], arg ? arg : last_expr, var_names,
- NULL, NULL, func2_names, func2, 0, ctx);
- if (ret < 0)
- break;
- if (arg)
- last_expr = arg;
- }
Change History (4)
follow-up: 2 comment:1 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 5 years ago
Replying to richardpl:
last_expr is never freed.
Also valgrind shows nothing.
It is possible that last_expr points to the same memory location of arg (See Line 138). When the loop from Line 130--140 only is executed once, last_expr will still point to arg. Since arg can be the memory same location as args, when free args (Line 142), last_expr can be freed. Can you double check this?
comment:3 by , 5 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
comment:4 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
last_expr is never freed.
Also valgrind shows nothing.