Opened 6 years ago
Closed 6 years ago
#7193 closed defect (needs_more_info)
Double free in libavformat/utils.c
Reported by: | timmyyuan | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | avformat |
Version: | git-master | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug:
at libavformat/utils.c:642, s->internal->id3v2_meta was freed by function av_dict_free in the else-branch.
at libavformat/utils.c:661, if the if-branch condition turns be true then the program goto the fail handler at line 681.
at libavformat/utils.c:686, avformat_free_context(s) will be called in the fail handler.
at libavformat/utils.c:4414, s->internal->id3v2_meta will be double freed by av_dict_free in function avformat_free_context
Change History (3)
follow-up: 2 comment:1 by , 6 years ago
Keywords: | double free removed |
---|
comment:2 by , 6 years ago
Replying to cehoyos:
How can I reproduce this issue?
we found this flaw by a static analyzer. To trigger the double frees at line 682 ( id3v2_extra_meta, first freed at 659) or line 686 (id3v2_meta, first freed at 642), malloc error and memory corruption (corrupt size of AVPacket to be negative or very large number) can make the if-branchs goto the fail handler. And as a result, it will lead to double free to all applications calling avformat_open_input.
// file ffmpeg/libavformat/utils.c ... 537 int avformat_open_input(AVFormatContext **ps, const char *filename, 538 AVInputFormat *fmt, AVDictionary **options) 539 { ... 642 av_dict_free(&s->internal->id3v2_meta); 643 if (s->error_recognition & AV_EF_EXPLODE) 644 return AVERROR_INVALIDDATA; 645 } ... 650 if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) 651 goto fail; 652 if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta)) < 0) 653 goto fail; 654 if ((ret = ff_id3v2_parse_priv(s, &id3v2_extra_meta)) < 0) 655 goto fail; ... 659 ff_id3v2_free_extra_meta(&id3v2_extra_meta); 660 661 if ((ret = avformat_queue_attached_pictures(s)) < 0) 662 goto fail; ... 681 fail: 682 ff_id3v2_free_extra_meta(&id3v2_extra_meta); 683 av_dict_free(&tmp); 684 if (s->pb && !(s->flags & AVFMT_FLAG_CUSTOM_IO)) 685 avio_closep(&s->pb); 686 avformat_free_context(s); 687 *ps = NULL; 688 return ret; 689 } ...
comment:3 by , 6 years ago
Resolution: | → needs_more_info |
---|---|
Status: | new → closed |
Please provide a sample that allows to reproduce the issue or send a patch - made with git format-patch
- that allows to fix the issue you see to the FFmpeg development mailing list.
How can I reproduce this issue?