Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

avfilter/vf_remap: Fix double-free of AVFilterFormats on error

Browse Source 
The query_formats function of the remap filter tries to allocate
two lists of formats which on success are attached to more permanent objects
(AVFilterLinks) for storage afterwards. If attaching a list to an
AVFilterLink succeeds, it is in turn owned by the AVFilterLink (or more
exactly, the AVFilterLink becomes one of the common owners of the list).
Yet if attaching a list to one of its links succeeds and an error happens
lateron, both lists were manually freed, which means that is wrong if the
list is already owned by one or more links; these links' pointers to
their lists will become dangling and there will be a double-free/use-after-
free when these links are cleaned up automatically.

This commit fixes this by removing the custom free code; this will
temporarily add a leaking codepath (if attaching a list not already
owned by a link to a link fails, the list will leak), but this will
be fixed soon by making sure that an AVFilterFormats without owner will
be automatically freed when attaching it to an AVFilterLink fails.
Notice at most one list leaks because a new list is only allocated
after the old list has been successfully attached to a link.

Reviewed-by: Nicolas George <george@nsup.org>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
pull/350/head
Andreas Rheinhardt 4 years ago
parent 76909c97c6
commit 07240c36c2
1 changed files with 7 additions and 17 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 24
      libavfilter/vf_remap.c

24
libavfilter/vf_remap.c
Unescape View File

@ -115,25 +115,15 @@ static int query_formats(AVFilterContext *ctx)
AVFilterFormats *pix_formats = NULL, *map_formats = NULL;
int ret;
if (!(pix_formats = ff_make_format_list(s->format ? gray_pix_fmts : pix_fmts)) ||
!(map_formats = ff_make_format_list(map_fmts))) {
ret = AVERROR(ENOMEM);
goto fail;
}
pix_formats = ff_make_format_list(s->format ? gray_pix_fmts : pix_fmts);
if ((ret = ff_formats_ref(pix_formats, &ctx->inputs[0]->out_formats)) < 0 ||
(ret = ff_formats_ref(map_formats, &ctx->inputs[1]->out_formats)) < 0 ||
(ret = ff_formats_ref(map_formats, &ctx->inputs[2]->out_formats)) < 0 ||
(ret = ff_formats_ref(pix_formats, &ctx->outputs[0]->in_formats)) < 0)
goto fail;
return 0;
fail:
if (pix_formats)
av_freep(&pix_formats->formats);
av_freep(&pix_formats);
if (map_formats)
av_freep(&map_formats->formats);
av_freep(&map_formats);
return ret;
return ret;
map_formats = ff_make_format_list(map_fmts);
if ((ret = ff_formats_ref(map_formats, &ctx->inputs[1]->out_formats)) < 0)
return ret;
return ff_formats_ref(map_formats, &ctx->inputs[2]->out_formats);
}
/**

Write Preview
Loading…
Cancel
Save