[FFmpeg-devel] [PATCH] deobfuscate ff_interleave_add_packet

Reimar Döffinger Reimar.Doeffinger
Sun Apr 12 09:55:49 CEST 2009 

On Sun, Apr 12, 2009 at 12:08:14PM +0800, avcoder wrote:
> Dear?
> 
> On Sat, Apr 11, 2009 at 8:54 PM, Reimar D?ffinger
> <Reimar.Doeffinger at gmx.de>wrote:
> 
> > Hello,
> > I propose this change:
> > Index: libavformat/utils.c
> > ===================================================================
> > --- libavformat/utils.c (revision 18431)
> > +++ libavformat/utils.c (working copy)
> > @@ -2613,10 +2613,8 @@
> >
> >     this_pktl = av_mallocz(sizeof(AVPacketList));
> >     this_pktl->pkt= *pkt;
> > -    if(pkt->destruct == av_destruct_packet)
> > -        pkt->destruct= NULL; // not shared -> must keep original from
> > being freed
> > -    else
> > -        av_dup_packet(&this_pktl->pkt);  //shared -> must dup
> > +    pkt->destruct= NULL; // do not free original but only the copy
> > +    av_dup_packet(&this_pktl->pkt);  // duplicate the packet if it uses
> > non-alloced memory
> >
> >     next_point = &s->packet_buffer;
> >     while(*next_point){
> >
> > Reasons:
> > Besides being simpler, there are 3 cases, (the deprecated nofree treated
> > the same as NULL):
> > 1) pkt->destruct == NULL, behaviour is unchanged
> > 2) pkt->destruct == av_destruct_packet, behaviour is unchanged since
> >   av_dup_packet is a nop then
> > 3) pkt->destruct something else:
> >  old code:
> >    av_dup_packet is called but is a nop, thus destruct will later be
> >    called twice resulting in something equivalent to a double free
> >  new code:
> >    destruct will only be called for the copy
> 
> 
> Could you elaborate the case 3?
> 
> Why "the destruct will later be called TWICE resulting in something
> equivalent to a double free"?
> 
> I think there is no any opportunity to call TWICE in this case!

Simple, afterwards there is the original pkt and there is
this_pktl->pkt.
For both we will call av_free_packet. Since in case 3 they remain
completely unchanged they are the same (and have a destruct function
set) and thus destruct will be called twice with exactly the same data
(the AVPacket pointers are different, but their contents are the same).
If that function was a simple reimplementation of av_destruct_packet
you'd have a double free thus (and in addition the first free would
probably before we are finished using the second packet).

More information about the ffmpeg-devel mailing list