[FFmpeg-cvslog] avformat/aviobuf: fix double free by return early on error

Steven Liu git at videolan.org
Thu Dec 16 05:03:26 EET 2021 

ffmpeg | branch: master | Steven Liu <liuqi05 at kuaishou.com> | Wed Dec  1 11:19:47 2021 +0800| [3f46ffe956a563a975b65fcb0bcf131fd30956ff] | committer: Steven Liu

avformat/aviobuf: fix double free by return early on error

Because the s->buffer has been freed by av_freep in avio_closep.
It should not av_freep the buffer in label fail after avio_closep.
Then just move the av_freep before avio_closep and remove the label fail.

Reported-by: TOTE Robot <oslab at tsinghua.edu.cn>
Reviewed-by: Zhao Zhili <zhilizhao at tencent.com>
Signed-off-by: Steven Liu <liuqi05 at kuaishou.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f46ffe956a563a975b65fcb0bcf131fd30956ff
---

 libavformat/aviobuf.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 969c127b23..14d4b8f240 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -977,18 +977,19 @@ int ffio_fdopen(AVIOContext **s, URLContext *h)
                             (int (*)(void *, uint8_t *, int))  ffurl_read,
                             (int (*)(void *, uint8_t *, int))  ffurl_write,
                             (int64_t (*)(void *, int64_t, int))ffurl_seek);
-    if (!*s)
-        goto fail;
-
+    if (!*s) {
+        av_freep(&buffer);
+        return AVERROR(ENOMEM);
+    }
     (*s)->protocol_whitelist = av_strdup(h->protocol_whitelist);
     if (!(*s)->protocol_whitelist && h->protocol_whitelist) {
         avio_closep(s);
-        goto fail;
+        return AVERROR(ENOMEM);
     }
     (*s)->protocol_blacklist = av_strdup(h->protocol_blacklist);
     if (!(*s)->protocol_blacklist && h->protocol_blacklist) {
         avio_closep(s);
-        goto fail;
+        return AVERROR(ENOMEM);
     }
     (*s)->direct = h->flags & AVIO_FLAG_DIRECT;
 
@@ -1006,9 +1007,6 @@ int ffio_fdopen(AVIOContext **s, URLContext *h)
     ((FFIOContext*)(*s))->short_seek_get = (int (*)(void *))ffurl_get_short_seek;
     (*s)->av_class = &ff_avio_class;
     return 0;
-fail:
-    av_freep(&buffer);
-    return AVERROR(ENOMEM);
 }
 
 URLContext* ffio_geturlcontext(AVIOContext *s)

More information about the ffmpeg-cvslog mailing list