[FFmpeg-trac] #8229(undetermined:closed): A potential Use-After-Free bug in the source file libavfilter/vf_hwmap.c
FFmpeg
trac at avcodec.org
Sat Oct 12 06:10:49 EEST 2019
#8229: A potential Use-After-Free bug in the source file libavfilter/vf_hwmap.c
-------------------------------------+-------------------------------------
Reporter: wurongxin | Owner:
Type: defect | Status: closed
Priority: normal | Component:
| undetermined
Version: git-master | Resolution: invalid
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Changes (by mkver):
* priority: critical => normal
* resolution: => invalid
* status: new => closed
* component: avfilter => undetermined
Comment:
> At Line 828, the copy of the variable derived_device_ctx will be created
and assigned to the variable dst_ref. Since this copy is a shallow copy,
dst_ref->buffer is actually the same memory address as
derived_device_ctx->buffer. At Line 870, dst_ref->buffer can be freed when
calling to the function av_buffer_unref.
No.
1. dst_ref->buffer is not the same as derived_device_ctx->buffer;
((AVHWFramesContext*) dst_ref->buffer)->device_ref->buffer is.
2. But more importantly, you completely ignored/misunderstood that we are
dealing with reference counted buffers here:\\
a) If the call to av_hwframe_ctx_alloc() fails, the reference counter
of the underlying AVBuffer of derived_device_ctx is the same as before the
call and dst_ref is NULL, so that av_buffer_unref(&dst_ref) is basically a
no-op.\\
b) If the call to av_hwframe_ctx_alloc() succeeds, the reference
counter to derived_device_ctx has been incremented by 1. Should we goto
fail in av_hwframe_ctx_create_derived() lateron, dst_ref will be
unreferenced; given that the reference counter of the underlying AVBuffer
(which is different from the underlying AVBuffer of derived_device_ctx) is
certain to be 1 at this point, this will trigger freeing of the underlying
buffer via hwframe_ctx_free(). This in turn will unreference
((AVHWFramesContext*) dst_ref->buffer)->device_ref and therefore decrement
the reference counter of the underlying buffer of derived_device_ctx, but
it will not free this buffer; it will just undo the earlier increment.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8229#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list