A use-after-free bug in libavcodec/utils.c

[wurongxin]

Summary of the bug:
How to reproduce:

% ffmpeg -i input ... output
ffmpeg version
built on ...

Patches should be submitted to the ffmpeg-devel mailing list and not this bug tracker.

In the source file ​https://github.com/FFmpeg/FFmpeg/blob/release/3.4/libavcodec/utils.c, in the function "default_lockmgr_cb", there is a use-after-free bug. Please see the following code. At Line 104, it frees the variable "*mutex", and then uses "*mutex" at Line 105.

69.	static int default_lockmgr_cb(void **arg, enum AVLockOp op)
70.	{
	…
101.	    case AV_LOCK_DESTROY:
102.	        if (*mutex)
103.	            pthread_mutex_destroy(*mutex);
104.	        av_free(*mutex);
105.	        avpriv_atomic_ptr_cas(mutex, *mutex, NULL);

[mkver]

Having a dangling pointer and using it in a function call does not constitute a use-after-free; for this, one would have to try to access the (invalid) data at the place where the pointer points to.

[wurongxin]

Replying to mkver:

Having a dangling pointer and using it in a function call does not constitute a use-after-free; for this, one would have to try to access the (invalid) data at the place where the pointer points to.

I don't think this is a safe operation and a good practice to write the code like that way. A very simple solution would be to swap the Line 104 and 105. Please consider it carefully. BTW, this happens in libavcodec, why you label the component as undetermined?

[Carl Eugen Hoyos]

The code in question was removed in a04c2c707de2ce850f79870e84ac9d7ec7aa9143