Context Navigation

#8255 closed defect (fixed)

A double-free bug in libswscale/utils.c

Reported by:	wurongxin	Owned by:
Priority:	normal	Component:	swscale
Version:	git-master	Keywords:
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

Summary of the bug:
How to reproduce:

% ffmpeg -i input ... output
ffmpeg version
built on ...

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

In the source file https://github.com/FFmpeg/FFmpeg/blob/master/libswscale/utils.c, in the function "sws_getCachedContext", there is a double-free bug. At Line 2424, it will call the function "sws_init_context" and free the variable context->cascaded_context[1]. At Line 2425, it will call the function "sws_freeContext" and free the variable context->cascaded_context[1] again. Please see the following code snippet.

2371.	struct SwsContext *sws_getCachedContext(struct SwsContext *context, int srcW,
2372.	                                        int srcH, enum AVPixelFormat srcFormat,
2373.	                                        int dstW, int dstH,
2374.	                                        enum AVPixelFormat dstFormat, int flags,
2375.	                                        SwsFilter *srcFilter,
2376.	                                        SwsFilter *dstFilter,
2377.	                                        const double *param)
2378.	{
	…
2424.	        if (sws_init_context(context, srcFilter, dstFilter) < 0) {
2425.	            sws_freeContext(context);
2426.	            return NULL;
2427.	        }

To see how the function "sws_init_context" frees the variable context->cascaded_context[1], please read the following code snippet. The variable "context" has been passed as the first argument (i.e., the parameter "c") to the function "sws_init_context". At Line 1492, c2 is assigned with c->cascaded_context[1], and will be freed at Line 1504 (see the function "sws_freeContext" at Line 2368).

1165.	av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter,
1166.	                             SwsFilter *dstFilter)
1167.	{
	...
1492.           c2 = c->cascaded_context[1];
    ...	
1503.	     if (ff_init_filters(c2) < 0) {
1504.	            sws_freeContext(c2);
1505.	            return -1;
1506.	     }


2311.	void sws_freeContext(SwsContext *c)
2312.	{
	    ...
2368.	    av_free(c);
2369.   }

To see how the function "sws_freeContext" frees the variable context->cascaded_context[1], please read the following code snippet.

2311.	void sws_freeContext(SwsContext *c)
2312.	{
	    ...
2357.       sws_freeContext(c->cascaded_context[1]);	
        ...

As we can see, there is a potential double-free occurred in the function "sws_getCachedContext".

Change History (2)

comment:1 by Carl Eugen Hoyos, 5 years ago

Priority:	critical → normal

comment:2 by Carl Eugen Hoyos, 4 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed by Gautam Ramakrishnan in da399e213523867dea1229e8f0fd955fed0410e7

Note: See TracTickets for help on using tickets.

Download in other formats: