[FFmpeg-trac] #8255(swscale:new): A double-free bug in libswscale/utils.c

FFmpeg trac at avcodec.org
Fri Oct 11 16:19:00 EEST 2019 

#8255: A double-free bug in libswscale/utils.c
-----------------------------------+--------------------------------------
             Reporter:  wurongxin  |                     Type:  defect
               Status:  new        |                 Priority:  critical
            Component:  swscale    |                  Version:  git-master
             Keywords:             |               Blocked By:
             Blocking:             |  Reproduced by developer:  0
Analyzed by developer:  0          |
-----------------------------------+--------------------------------------
 Summary of the bug:
 How to reproduce:
 {{{
 % ffmpeg -i input ... output
 ffmpeg version
 built on ...
 }}}
 Patches should be submitted to the ffmpeg-devel mailing list and not this
 bug tracker.


 In the source file
 https://github.com/FFmpeg/FFmpeg/blob/master/libswscale/utils.c, in the
 function "sws_getCachedContext", there is a double-free bug. At Line 2424,
 it will call the function "sws_init_context" and free the variable
 context->cascaded_context[1]. At Line 2425, it will call the function
 "sws_freeContext" and free the variable context->cascaded_context[1]
 again. Please see the following code snippet.

 {{{
 2371.   struct SwsContext *sws_getCachedContext(struct SwsContext
 *context, int srcW,
 2372.                                           int srcH, enum
 AVPixelFormat srcFormat,
 2373.                                           int dstW, int dstH,
 2374.                                           enum AVPixelFormat
 dstFormat, int flags,
 2375.                                           SwsFilter *srcFilter,
 2376.                                           SwsFilter *dstFilter,
 2377.                                           const double *param)
 2378.   {
         …
 2424.           if (sws_init_context(context, srcFilter, dstFilter) < 0) {
 2425.               sws_freeContext(context);
 2426.               return NULL;
 2427.           }
 }}}

 To see how the function "sws_init_context" frees the variable
 context->cascaded_context[1], please read the following code snippet. The
 variable "context" has been passed as the first argument (i.e., the
 parameter "c") to the function "sws_init_context".  At Line 1492, c2 is
 assigned with c->cascaded_context[1], and will be freed at Line 1504 (see
 the function "sws_freeContext" at Line 2368).

 {{{
 1165.   av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter,
 1166.                                SwsFilter *dstFilter)
 1167.   {
         ...
 1492.           c2 = c->cascaded_context[1];
     ...
 1503.        if (ff_init_filters(c2) < 0) {
 1504.               sws_freeContext(c2);
 1505.               return -1;
 1506.        }


 2311.   void sws_freeContext(SwsContext *c)
 2312.   {
             ...
 2368.       av_free(c);
 2369.   }
 }}}


 To see how the function "sws_freeContext" frees the variable
 context->cascaded_context[1], please read the following code snippet.

 {{{
 2311.   void sws_freeContext(SwsContext *c)
 2312.   {
             ...
 2357.       sws_freeContext(c->cascaded_context[1]);
         ...
 }}}

 As we can see, there is a potential double-free occurred in the function
 "sws_getCachedContext".

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8255>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list