Opened 5 years ago
Closed 5 years ago
#8224 closed defect (fixed)
A Double-Free Bug
| Reported by: | wurongxin | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avfilter |
| Version: | git-master | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
How to reproduce:
% ffmpeg -i input ... output ffmpeg version built on ...
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
In the source file libavfilter/vf_nnedi.c, in the function "static int filter_frame", there is a possible double-free bug. Please see the following code snippet. At Line 835, the variable s->second would be alias with src. At Line 860, the variable s->src would be alias with src. Thus, s->second would be alias with s->src. At Line 864 and 865, it would potentially make s->src or s->second freed twice.
- second:
- if ((s->deint && src->interlaced_frame &&
- (!s->deint && !ctx->is_disabled)) {
- s->second = src;
- }
- }
...
- s->src = src;
- ret = get_frame(ctx, 0);
- if (ret < 0) {
- av_frame_free(&s->dst);
- av_frame_free(&s->src);
- av_frame_free(&s->second);
- return ret;
- }
Change History (3)
follow-up: 2 comment:1 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 5 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Replying to richardpl:
valgrind shows nothing. Also probably is not enough word.
also exact ways for reproduction are missing.
This bug is detected by static analysis tool. It only happens in certain condition. Valgrind cannot give you anything unless the proper test input is given. Please read the code first and then make the conclusion.
comment:3 by , 5 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
valgrind shows nothing. Also probably is not enough word.
also exact ways for reproduction are missing.