#8259 closed defect (invalid)
A use-after-free bug in libavcodec/utils.c
| Reported by: | wurongxin | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | unspecified | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
How to reproduce:
% ffmpeg -i input ... output ffmpeg version built on ...
Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.
In the source file https://github.com/FFmpeg/FFmpeg/blob/release/3.4/libavcodec/utils.c, in the function "default_lockmgr_cb", there is a use-after-free bug. Please see the following code. At Line 104, it frees the variable "*mutex", and then uses "*mutex" at Line 105.
69. static int default_lockmgr_cb(void **arg, enum AVLockOp op)
70. {
…
101. case AV_LOCK_DESTROY:
102. if (*mutex)
103. pthread_mutex_destroy(*mutex);
104. av_free(*mutex);
105. avpriv_atomic_ptr_cas(mutex, *mutex, NULL);
Change History (4)
follow-up: 2 comment:1 by , 5 years ago
| Component: | avcodec → undetermined |
|---|---|
| Priority: | critical → normal |
| Resolution: | → invalid |
| Status: | new → closed |
comment:2 by , 5 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Replying to mkver:
Having a dangling pointer and using it in a function call does not constitute a use-after-free; for this, one would have to try to access the (invalid) data at the place where the pointer points to.
I don't think this is a safe operation and a good practice to write the code like that way. A very simple solution would be to swap the Line 104 and 105. Please consider it carefully. BTW, this happens in libavcodec, why you label the component as undetermined?
comment:3 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
The code in question was removed in a04c2c707de2ce850f79870e84ac9d7ec7aa9143
comment:4 by , 5 years ago
| Version: | 3.4.6 → unspecified |
|---|
Having a dangling pointer and using it in a function call does not constitute a use-after-free; for this, one would have to try to access the (invalid) data at the place where the pointer points to.