[FFmpeg-cvslog] avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error

Mon Aug 24 02:09:45 EEST 2020

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Fri Aug  7 13:23:30 2020 +0200| [76909c97c68c79d3c0353de83418a112595e9798] | committer: Andreas Rheinhardt

avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error

The query_formats function of the showpalette filter tries to allocate
two lists of formats which on success are attached to more permanent objects
(AVFilterLinks) for storage afterwards. If attaching a list to an
AVFilterLink succeeds, the link becomes one (in this case the only one)
of the owners of the list. Yet if attaching the first list to its link
succeeds and attaching the second list fails, both lists were manually
freed, which means that the first link's pointer to the first list
becomes dangling and there will be a double-free when the first link is
cleaned up automatically.

This commit fixes this by removing the custom free code; this will
temporarily add a leaking codepath (if attaching a list to a link fails,
the list will leak), but this will be fixed shortly by making sure that
an AVFilterFormats without owner will be automatically freed when
attaching it to an AVFilterLink fails. Notice at most one list leaks
because as of this commit a new list is only allocated after the old list
has been successfully attached to a link.

Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76909c97c68c79d3c0353de83418a112595e9798
---

 libavfilter/vf_showpalette.c | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/libavfilter/vf_showpalette.c b/libavfilter/vf_showpalette.c
index f715d6bc2c..c32dbd5b5d 100644
--- a/libavfilter/vf_showpalette.c
+++ b/libavfilter/vf_showpalette.c
@@ -46,26 +46,13 @@ static int query_formats(AVFilterContext *ctx)
 {
     static const enum AVPixelFormat in_fmts[]  = {AV_PIX_FMT_PAL8,  AV_PIX_FMT_NONE};
     static const enum AVPixelFormat out_fmts[] = {AV_PIX_FMT_RGB32, AV_PIX_FMT_NONE};
-    int ret;
-    AVFilterFormats *in  = ff_make_format_list(in_fmts);
-    AVFilterFormats *out = ff_make_format_list(out_fmts);
-    if (!in || !out) {
-        ret = AVERROR(ENOMEM);
-        goto fail;
-    }
+    int ret = ff_formats_ref(ff_make_format_list(in_fmts),
+                             &ctx->inputs[0]->out_formats);
+    if (ret < 0)
+        return ret;
 
-    if ((ret = ff_formats_ref(in , &ctx->inputs[0]->out_formats)) < 0 ||
-        (ret = ff_formats_ref(out, &ctx->outputs[0]->in_formats)) < 0)
-        goto fail;
-    return 0;
-fail:
-    if (in)
-        av_freep(&in->formats);
-    av_freep(&in);
-    if (out)
-        av_freep(&out->formats);
-    av_freep(&out);
-    return ret;
+    return ff_formats_ref(ff_make_format_list(out_fmts),
+                          &ctx->outputs[0]->in_formats);
 }
 
 static int config_output(AVFilterLink *outlink)

