aboutsummaryrefslogtreecommitdiffstats
path: root/RELEASE
diff options
context:
space:
mode:
authorAndreas Rheinhardt <andreas.rheinhardt@gmail.com>2020-08-07 03:41:18 +0200
committerAndreas Rheinhardt <andreas.rheinhardt@gmail.com>2020-08-12 21:22:53 +0200
commit195a25a7aba89d4fc040de63cbc6389abece393d (patch)
tree325a8c7073a822ad343174a90733a74a21d66248 /RELEASE
parentae5026c90502fad71338b81badd227db00b462cf (diff)
downloadffmpeg-195a25a7aba89d4fc040de63cbc6389abece393d.tar.gz
avfilter/formats: Leave lists' ownership unchanged upon merge failure
ff_merge_formats(), ff_merge_samplerates() and ff_merge_channel_layouts() share common semantics: If merging succeeds, a non-NULL pointer is returned and both input lists (of type AVFilterFormats resp. AVFilterChannelLayouts) are to be treated as if they had been freed; the owners of the input parameters (if any) become owners of the returned list. If merging does not succeed, NULL is returned and both input lists are supposed to be unchanged. The problem is that the functions did not abide by these semantics: In case of reallocation failure, it is possible for these functions to return NULL after having already freed one of the two input list. This happens because sometimes the refs-array of the destined output gets reallocated twice to its final size and if the second of these reallocations fails, the first of the two inputs has already been freed and its refs updated to point to the destined output which in this case will be freed immediately so that all of the already updated pointers are now dangling. This leads to use-after-frees and memory corruptions lateron (when these owners get cleaned up, the lists they own get unreferenced). Should the input lists don't have owners at all, the caller (namely can_merge_formats() in avfiltergraph.c) thinks that both the input lists are unchanged and need to be freed, leading to a double free. The solution to this is simple: Don't reallocate twice; do it just once. This also saves a reallocation. This commit fixes the issue behind Coverity issue #1452636. It might also make Coverity realize that the issue has been fixed. Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Diffstat (limited to 'RELEASE')
0 files changed, 0 insertions, 0 deletions