* [FFmpeg-devel] [PATCH v4 0/3] fix leak in avfilter/asrc_sinc and avformat/sapenc
@ 2025-06-30 15:01 Lidong Yan
2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 1/3] avfilter/asrc_sinc: fix leak in config_input() Lidong Yan
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Lidong Yan @ 2025-06-30 15:01 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lidong Yan
This patch series fixes memory leaks in `avfilter/asrc_sinc` and
`avformat/sapenc`.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaEpkmRYJKwYBBAHaRw8BAQdAGwGqH/Dwod+i6kR0/Rhn5GanJ7wK8mM9tWP/
W2qu8Ti0HTUwMjAyNDMzMDA1NkBzbWFpbC5uanUuZWR1LmNuiJkEExYKAEEWIQQC
zskBcOehk1y8GoKZR31bPD+6owUCaEpkmQIbAwUJBaOagAULCQgHAgIiAgYVCgkI
CwIEFgIDAQIeBwIXgAAKCRCZR31bPD+6o8wHAQCLomsA4XfTd8IdG983gGULUJe/
0432buy4nX7AsAc87QEA+/QIsWTR6XLJaLa1sLSQCsZkb86U3c17JzG9oivL8gW4
OARoSmSZEgorBgEEAZdVAQUBAQdAfYrEAWd+6bOXkKvHpFmMvKzxAtlhm6ZQKdAq
+MlJ7wQDAQgHiHgEGBYKACAWIQQCzskBcOehk1y8GoKZR31bPD+6owUCaEpkmQIb
DAAKCRCZR31bPD+6ozWxAQC9OFisWrP/hHXUfj8AnC39r5pf5fEBz7lHvFgWNk2b
XwD7Bl6kvIIW7ReqtgXvcl7u78vEo+e9YeTGTlmAogjpeQk=
=rP+W
-----END PGP PUBLIC KEY BLOCK-----
Lidong Yan (3):
avfilter/asrc_sinc: fix leak in config_input()
avformat/sapenc: fix leak in sap_write_header()
avformat/sapenc: reword fail to cleanup in sap_write_header()
libavfilter/asrc_sinc.c | 18 +++++++++++-------
libavformat/sapenc.c | 34 +++++++++++++++++++---------------
2 files changed, 30 insertions(+), 22 deletions(-)
--
2.50.0.106.gf0135a9047.dirty
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH v4 1/3] avfilter/asrc_sinc: fix leak in config_input() 2025-06-30 15:01 [FFmpeg-devel] [PATCH v4 0/3] fix leak in avfilter/asrc_sinc and avformat/sapenc Lidong Yan @ 2025-06-30 15:01 ` Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 2/3] avformat/sapenc: fix leak in sap_write_header() Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 3/3] avformat/sapenc: reword fail to cleanup " Lidong Yan 2 siblings, 0 replies; 5+ messages in thread From: Lidong Yan @ 2025-06-30 15:01 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Lidong Yan In config_input(), fir_to_phase() allocates memory in h[longer], which would leak if av_calloc() to s->coeffs failed. lpf() allocates memory in h[0] and h[1], which would leak if fir_to_phase() failed. To fix this leak, add av_free(h[longer]) in as cleanup code, and replace return AVERROR* with goto cleanup to prevent from leaks. Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> --- libavfilter/asrc_sinc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libavfilter/asrc_sinc.c b/libavfilter/asrc_sinc.c index 6ff3303316..05cf53fed8 100644 --- a/libavfilter/asrc_sinc.c +++ b/libavfilter/asrc_sinc.c @@ -329,7 +329,7 @@ static int config_output(AVFilterLink *outlink) SincContext *s = ctx->priv; float Fn = s->sample_rate * .5f; float *h[2]; - int i, n, post_peak, longer; + int i, n, post_peak, longer, ret; outlink->sample_rate = s->sample_rate; s->pts = 0; @@ -360,9 +360,9 @@ static int config_output(AVFilterLink *outlink) } if (s->phase != 50.f) { - int ret = fir_to_phase(s, &h[longer], &n, &post_peak, s->phase); + ret = fir_to_phase(s, &h[longer], &n, &post_peak, s->phase); if (ret < 0) - return ret; + goto cleanup; } else { post_peak = n >> 1; } @@ -370,17 +370,21 @@ static int config_output(AVFilterLink *outlink) s->n = 1 << (av_log2(n) + 1); s->rdft_len = 1 << av_log2(n); s->coeffs = av_calloc(s->n, sizeof(*s->coeffs)); - if (!s->coeffs) - return AVERROR(ENOMEM); + if (!s->coeffs) { + ret = AVERROR(ENOMEM); + goto cleanup; + } for (i = 0; i < n; i++) s->coeffs[i] = h[longer][i]; - av_free(h[longer]); av_tx_uninit(&s->tx); av_tx_uninit(&s->itx); + ret = 0; - return 0; +cleanup: + av_free(h[longer]); + return ret; } static av_cold void uninit(AVFilterContext *ctx) -- 2.50.0.106.gf0135a9047.dirty _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH v4 2/3] avformat/sapenc: fix leak in sap_write_header() 2025-06-30 15:01 [FFmpeg-devel] [PATCH v4 0/3] fix leak in avfilter/asrc_sinc and avformat/sapenc Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 1/3] avfilter/asrc_sinc: fix leak in config_input() Lidong Yan @ 2025-06-30 15:01 ` Lidong Yan 2025-07-04 13:56 ` Michael Niedermayer 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 3/3] avformat/sapenc: reword fail to cleanup " Lidong Yan 2 siblings, 1 reply; 5+ messages in thread From: Lidong Yan @ 2025-06-30 15:01 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Lidong Yan In sap_write_header(), ff_format_set_url() assign new allocated new_url to contexts[i]->url but forgot to free it later. Add for loop to free contexts[i]->url before av_free(context). To prevent from writing free-for-loop in every return point, replace `return 0` with `ret = 0` so normal execution can fall through cleanup code. Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> --- libavformat/sapenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/sapenc.c b/libavformat/sapenc.c index 87a834a8d8..0882690ba5 100644 --- a/libavformat/sapenc.c +++ b/libavformat/sapenc.c @@ -244,11 +244,15 @@ static int sap_write_header(AVFormatContext *s) goto fail; } - return 0; + ret = 0; fail: + for (i = 0; i < s->nb_streams; i++) + if (contexts[i]) + av_free(contexts[i]->url); av_free(contexts); - sap_write_close(s); + if (ret < 0) + sap_write_close(s); return ret; } -- 2.50.0.106.gf0135a9047.dirty _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH v4 2/3] avformat/sapenc: fix leak in sap_write_header() 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 2/3] avformat/sapenc: fix leak in sap_write_header() Lidong Yan @ 2025-07-04 13:56 ` Michael Niedermayer 0 siblings, 0 replies; 5+ messages in thread From: Michael Niedermayer @ 2025-07-04 13:56 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1634 bytes --] On Mon, Jun 30, 2025 at 11:01:13PM +0800, Lidong Yan wrote: > In sap_write_header(), ff_format_set_url() assign new allocated new_url > to contexts[i]->url but forgot to free it later. Add for loop to free > contexts[i]->url before av_free(context). > > To prevent from writing free-for-loop in every return point, replace > `return 0` with `ret = 0` so normal execution can fall through cleanup > code. > > Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> > --- > libavformat/sapenc.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/libavformat/sapenc.c b/libavformat/sapenc.c > index 87a834a8d8..0882690ba5 100644 > --- a/libavformat/sapenc.c > +++ b/libavformat/sapenc.c > @@ -244,11 +244,15 @@ static int sap_write_header(AVFormatContext *s) > goto fail; > } > > - return 0; > + ret = 0; > av_freep(&contexts); ... if (sap->ann_size > sap->ann_fd->max_packet_size) { av_log(s, AV_LOG_ERROR, "Announcement too large to send in one " "packet\n"); goto fail; > fail: > + for (i = 0; i < s->nb_streams; i++) > + if (contexts[i]) > + av_free(contexts[i]->url); contexts will be NULL so i would assume contexts[i] will segfault thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Rewriting code that is poorly written but fully understood is good. Rewriting code that one doesnt understand is a sign that one is less smart than the original author, trying to rewrite it will not make it better. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH v4 3/3] avformat/sapenc: reword fail to cleanup in sap_write_header() 2025-06-30 15:01 [FFmpeg-devel] [PATCH v4 0/3] fix leak in avfilter/asrc_sinc and avformat/sapenc Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 1/3] avfilter/asrc_sinc: fix leak in config_input() Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 2/3] avformat/sapenc: fix leak in sap_write_header() Lidong Yan @ 2025-06-30 15:01 ` Lidong Yan 2 siblings, 0 replies; 5+ messages in thread From: Lidong Yan @ 2025-06-30 15:01 UTC (permalink / raw) To: ffmpeg-devel; +Cc: Lidong Yan In sap_write_header(), normal execution would fall through to fail labeled code, thus cleanup would be a better name compared to fail. Replace the use of fail label with cleanup label. Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn> --- libavformat/sapenc.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libavformat/sapenc.c b/libavformat/sapenc.c index 0882690ba5..63436b9667 100644 --- a/libavformat/sapenc.c +++ b/libavformat/sapenc.c @@ -113,7 +113,7 @@ static int sap_write_header(AVFormatContext *s) if (getaddrinfo(host, NULL, &hints, &ai)) { av_log(s, AV_LOG_ERROR, "Unable to resolve %s\n", host); ret = AVERROR(EIO); - goto fail; + goto cleanup; } if (ai->ai_family == AF_INET) { /* Also known as sap.mcast.net */ @@ -130,7 +130,7 @@ static int sap_write_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Host %s resolved to unsupported " "address family\n", host); ret = AVERROR(EIO); - goto fail; + goto cleanup; } freeaddrinfo(ai); } @@ -138,7 +138,7 @@ static int sap_write_header(AVFormatContext *s) contexts = av_calloc(s->nb_streams, sizeof(*contexts)); if (!contexts) { ret = AVERROR(ENOMEM); - goto fail; + goto cleanup; } if (s->start_time_realtime == 0 || s->start_time_realtime == AV_NOPTS_VALUE) @@ -156,17 +156,17 @@ static int sap_write_header(AVFormatContext *s) s->protocol_whitelist, s->protocol_blacklist, NULL); if (ret) { ret = AVERROR(EIO); - goto fail; + goto cleanup; } ret = ff_rtp_chain_mux_open(&contexts[i], s, s->streams[i], fd, 0, i); if (ret < 0) - goto fail; + goto cleanup; s->streams[i]->priv_data = contexts[i]; s->streams[i]->time_base = contexts[i]->streams[0]->time_base; new_url = av_strdup(url); if (!new_url) { ret = AVERROR(ENOMEM); - goto fail; + goto cleanup; } ff_format_set_url(contexts[i], new_url); } @@ -181,13 +181,13 @@ static int sap_write_header(AVFormatContext *s) s->protocol_whitelist, s->protocol_blacklist, NULL); if (ret) { ret = AVERROR(EIO); - goto fail; + goto cleanup; } udp_fd = ffurl_get_file_handle(sap->ann_fd); if (getsockname(udp_fd, (struct sockaddr*) &localaddr, &addrlen)) { ret = AVERROR(EIO); - goto fail; + goto cleanup; } if (localaddr.ss_family != AF_INET #if HAVE_STRUCT_SOCKADDR_IN6 @@ -196,13 +196,13 @@ static int sap_write_header(AVFormatContext *s) ) { av_log(s, AV_LOG_ERROR, "Unsupported protocol family\n"); ret = AVERROR(EIO); - goto fail; + goto cleanup; } sap->ann_size = 8192; sap->ann = av_mallocz(sap->ann_size); if (!sap->ann) { ret = AVERROR(EIO); - goto fail; + goto cleanup; } sap->ann[pos] = (1 << 5); #if HAVE_STRUCT_SOCKADDR_IN6 @@ -231,7 +231,7 @@ static int sap_write_header(AVFormatContext *s) if (av_sdp_create(contexts, s->nb_streams, &sap->ann[pos], sap->ann_size - pos)) { ret = AVERROR_INVALIDDATA; - goto fail; + goto cleanup; } av_freep(&contexts); av_log(s, AV_LOG_VERBOSE, "SDP:\n%s\n", &sap->ann[pos]); @@ -241,12 +241,12 @@ static int sap_write_header(AVFormatContext *s) if (sap->ann_size > sap->ann_fd->max_packet_size) { av_log(s, AV_LOG_ERROR, "Announcement too large to send in one " "packet\n"); - goto fail; + goto cleanup; } ret = 0; -fail: +cleanup: for (i = 0; i < s->nb_streams; i++) if (contexts[i]) av_free(contexts[i]->url); -- 2.50.0.106.gf0135a9047.dirty _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-07-04 13:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-06-30 15:01 [FFmpeg-devel] [PATCH v4 0/3] fix leak in avfilter/asrc_sinc and avformat/sapenc Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 1/3] avfilter/asrc_sinc: fix leak in config_input() Lidong Yan 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 2/3] avformat/sapenc: fix leak in sap_write_header() Lidong Yan 2025-07-04 13:56 ` Michael Niedermayer 2025-06-30 15:01 ` [FFmpeg-devel] [PATCH v4 3/3] avformat/sapenc: reword fail to cleanup " Lidong Yan
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git