* [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free
@ 2024-02-18 15:10 Andreas Rheinhardt
2024-02-18 15:10 ` [FFmpeg-devel] [PATCH 2/2] tests/fate-run: Do not ignore errors from intermediate commands Andreas Rheinhardt
2024-02-18 16:57 ` [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free Anton Khirnov
0 siblings, 2 replies; 3+ messages in thread
From: Andreas Rheinhardt @ 2024-02-18 15:10 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
The filename is freed with the OptionsContext and therefore
there will be a use-after-free when reporting the filename
in print_stream_maps(). So create a copy of the string.
This is a regression since 8aed3911fc454e79697e183660bf30d31334a64b.
fate-lavf-mkv_attachment exhibits it (and reports a random nonsense
filename here), but this does not make the test fail (not even with
valgrind; only with ASAN, as it aborts on use-after-free).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
fftools/ffmpeg.h | 2 +-
fftools/ffmpeg_mux.c | 2 ++
fftools/ffmpeg_mux_init.c | 10 +++++++++-
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h
index 33750e0bb3..c394f60962 100644
--- a/fftools/ffmpeg.h
+++ b/fftools/ffmpeg.h
@@ -555,7 +555,7 @@ typedef struct OutputStream {
AVDictionary *swr_opts;
char *apad;
- const char *attachment_filename;
+ char *attachment_filename;
int keep_pix_fmt;
diff --git a/fftools/ffmpeg_mux.c b/fftools/ffmpeg_mux.c
index e65fe89992..5a648c0568 100644
--- a/fftools/ffmpeg_mux.c
+++ b/fftools/ffmpeg_mux.c
@@ -817,6 +817,8 @@ static void ost_free(OutputStream **post)
av_freep(&ost->logfile_prefix);
av_freep(&ost->apad);
+ av_freep(&ost->attachment_filename);
+
#if FFMPEG_OPT_MAP_CHANNEL
av_freep(&ost->audio_channels_map);
ost->audio_channels_mapped = 0;
diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c
index 0718487c53..1abbb2d945 100644
--- a/fftools/ffmpeg_mux_init.c
+++ b/fftools/ffmpeg_mux_init.c
@@ -1741,6 +1741,7 @@ static int of_add_attachments(Muxer *mux, const OptionsContext *o)
for (int i = 0; i < o->nb_attachments; i++) {
AVIOContext *pb;
uint8_t *attachment;
+ char *attachment_filename;
const char *p;
int64_t len;
@@ -1788,13 +1789,20 @@ read_fail:
av_log(mux, AV_LOG_VERBOSE, "Creating attachment stream from file %s\n",
o->attachments[i]);
+ attachment_filename = av_strdup(o->attachments[i]);
+ if (!attachment_filename) {
+ av_free(attachment);
+ return AVERROR(ENOMEM);
+ }
+
err = ost_add(mux, o, AVMEDIA_TYPE_ATTACHMENT, NULL, NULL, &ost);
if (err < 0) {
+ av_free(attachment_filename);
av_freep(&attachment);
return err;
}
- ost->attachment_filename = o->attachments[i];
+ ost->attachment_filename = attachment_filename;
ost->par_in->extradata = attachment;
ost->par_in->extradata_size = len;
--
2.34.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread* [FFmpeg-devel] [PATCH 2/2] tests/fate-run: Do not ignore errors from intermediate commands
2024-02-18 15:10 [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free Andreas Rheinhardt
@ 2024-02-18 15:10 ` Andreas Rheinhardt
2024-02-18 16:57 ` [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free Anton Khirnov
1 sibling, 0 replies; 3+ messages in thread
From: Andreas Rheinhardt @ 2024-02-18 15:10 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
Otherwise the test may pass while ignoring errors from sanitizers.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
tests/fate-run.sh | 44 ++++++++++++++++++++++++++++----------------
1 file changed, 28 insertions(+), 16 deletions(-)
diff --git a/tests/fate-run.sh b/tests/fate-run.sh
index 9257fb368b..4b85fbf464 100755
--- a/tests/fate-run.sh
+++ b/tests/fate-run.sh
@@ -334,7 +334,7 @@ do_avconv(){
f="$1"
shift
set -- $* ${target_path}/$f
- run_avconv $*
+ run_avconv $* || return
do_md5sum $f
echo $(wc -c $f)
}
@@ -351,7 +351,8 @@ lavf_audio(){
outdir="tests/data/lavf"
file=${outdir}/lavf.$t
test "$keep" -ge 1 || cleanfiles="$cleanfiles $file"
- do_avconv $file -auto_conversion_filters $DEC_OPTS $1 -ar 44100 -f s16le -i $pcm_src "$ENC_OPTS -metadata title=lavftest" -t 1 -qscale 10 $2
+ do_avconv $file -auto_conversion_filters $DEC_OPTS $1 -ar 44100 -f s16le -i $pcm_src \
+ "$ENC_OPTS -metadata title=lavftest" -t 1 -qscale 10 $2 || return
test "$4" = "disable_crc" ||
do_avconv_crc $file -auto_conversion_filters $DEC_OPTS $3 -i $target_path/$file
}
@@ -361,7 +362,8 @@ lavf_container(){
outdir="tests/data/lavf"
file=${outdir}/lavf.$t
test "$keep" -ge 1 || cleanfiles="$cleanfiles $file"
- do_avconv $file -auto_conversion_filters $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $DEC_OPTS -ar 44100 -f s16le $1 -i $pcm_src "$ENC_OPTS -metadata title=lavftest" -b:a 64k -t 1 -qscale:v 10 $2
+ do_avconv $file -auto_conversion_filters $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $DEC_OPTS \
+ -ar 44100 -f s16le $1 -i $pcm_src "$ENC_OPTS -metadata title=lavftest" -b:a 64k -t 1 -qscale:v 10 $2 || return
test "$3" = "disable_crc" ||
do_avconv_crc $file -auto_conversion_filters $DEC_OPTS -i $target_path/$file $3
}
@@ -384,7 +386,8 @@ lavf_container_fate()
file=${outdir}/lavf.$t
cleanfiles="$cleanfiles $file"
input="${target_samples}/$1"
- do_avconv $file -auto_conversion_filters $DEC_OPTS $2 -i "$input" "$ENC_OPTS -metadata title=lavftest" -vcodec copy -acodec copy
+ do_avconv $file -auto_conversion_filters $DEC_OPTS $2 -i "$input" \
+ "$ENC_OPTS -metadata title=lavftest" -vcodec copy -acodec copy || return
do_avconv_crc $file -auto_conversion_filters $DEC_OPTS -i $target_path/$file $3
}
@@ -401,7 +404,9 @@ lavf_image(){
cleanfiles="$cleanfiles $filename"
done
fi
- run_avconv $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $1 "$ENC_OPTS -metadata title=lavftest" -vf scale -frames $nb_frames -y -qscale 10 $target_path/$file
+ run_avconv $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $1 \
+ "$ENC_OPTS -metadata title=lavftest" -vf scale -frames $nb_frames \
+ -y -qscale 10 $target_path/$file || return
if [ -z "$no_file_checksums" ]; then
do_md5sum ${outdir}/02.$t
echo $(wc -c ${outdir}/02.$t)
@@ -414,7 +419,8 @@ lavf_image2pipe(){
t="${t%pipe}"
outdir="tests/data/lavf"
file=${outdir}/${t}pipe.$t
- do_avconv $file -auto_conversion_filters $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src -f image2pipe "$ENC_OPTS -metadata title=lavftest" -t 1 -qscale 10
+ do_avconv $file -auto_conversion_filters $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src \
+ -f image2pipe "$ENC_OPTS -metadata title=lavftest" -t 1 -qscale 10 || return
do_avconv_crc $file -auto_conversion_filters $DEC_OPTS -f image2pipe -i $target_path/$file
}
@@ -423,7 +429,8 @@ lavf_video(){
outdir="tests/data/lavf"
file=${outdir}/lavf.$t
test "$keep" -ge 1 || cleanfiles="$cleanfiles $file"
- do_avconv $file -auto_conversion_filters $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src "$ENC_OPTS -metadata title=lavftest" -t 1 -qscale 10 $1 $2
+ do_avconv $file -auto_conversion_filters $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src \
+ "$ENC_OPTS -metadata title=lavftest" -t 1 -qscale 10 $1 $2 || return
do_avconv_crc $file -auto_conversion_filters $DEC_OPTS -i $target_path/$file $1
}
@@ -477,7 +484,7 @@ pixfmt_conversion(){
file=${outdir}/${conversion}.yuv
cleanfiles="$cleanfiles $raw_dst $file"
run_avconv $DEC_OPTS -r 1 -f image2 -c:v pgmyuv -i $raw_src \
- $ENC_OPTS -f rawvideo -t 1 -s 352x288 -pix_fmt $conversion $target_path/$raw_dst
+ $ENC_OPTS -f rawvideo -t 1 -s 352x288 -pix_fmt $conversion $target_path/$raw_dst || return
do_avconv $file $DEC_OPTS -f rawvideo -s 352x288 -pix_fmt $conversion -i $target_path/$raw_dst \
$ENC_OPTS -f rawvideo -s 352x288 -pix_fmt yuv444p
}
@@ -516,7 +523,7 @@ pixfmts(){
outertest=$test
for pix_fmt in $pix_fmts; do
test=$pix_fmt
- video_filter "${prefilter_chain}scale,format=$pix_fmt,$filter=$filter_args" -pix_fmt $pix_fmt -frames:v $nframes
+ video_filter "${prefilter_chain}scale,format=$pix_fmt,$filter=$filter_args" -pix_fmt $pix_fmt -frames:v $nframes || return
done
rm $in_fmts $scale_in_fmts $scale_out_fmts $scale_exclude_fmts
@@ -533,16 +540,20 @@ gapless(){
cleanfiles="$cleanfiles $decfile1 $decfile2 $decfile3"
# test packet data
- ffmpeg -auto_conversion_filters $extra_args -i "$sample" -bitexact -c:a copy -f framecrc -y $(target_path $decfile1)
+ ffmpeg -auto_conversion_filters $extra_args -i "$sample" \
+ -bitexact -c:a copy -f framecrc -y $(target_path $decfile1) || return
do_md5sum $decfile1
# test decoded (and cut) data
- ffmpeg -auto_conversion_filters $extra_args -i "$sample" -bitexact -f wav md5:
+ ffmpeg -auto_conversion_filters $extra_args -i "$sample" -bitexact -f wav md5: || return
# the same as above again, with seeking to the start
- ffmpeg -auto_conversion_filters $extra_args -ss 0 -seek_timestamp 1 -i "$sample" -bitexact -c:a copy -f framecrc -y $(target_path $decfile2)
+ ffmpeg -auto_conversion_filters $extra_args -ss 0 -seek_timestamp 1 -i "$sample" \
+ -bitexact -c:a copy -f framecrc -y $(target_path $decfile2) || return
do_md5sum $decfile2
- ffmpeg -auto_conversion_filters $extra_args -ss 0 -seek_timestamp 1 -i "$sample" -bitexact -f wav md5:
+ ffmpeg -auto_conversion_filters $extra_args -ss 0 -seek_timestamp 1 -i "$sample" \
+ -bitexact -f wav md5: || return
# test packet data, with seeking to a specific position
- ffmpeg -auto_conversion_filters $extra_args -ss 5 -seek_timestamp 1 -i "$sample" -bitexact -c:a copy -f framecrc -y $(target_path $decfile3)
+ ffmpeg -auto_conversion_filters $extra_args -ss 5 -seek_timestamp 1 -i "$sample" \
+ -bitexact -c:a copy -f framecrc -y $(target_path $decfile3) || return
do_md5sum $decfile3
}
@@ -555,7 +566,8 @@ gaplessenc(){
cleanfiles="$cleanfiles $file1"
# test data after reencoding
- ffmpeg -i "$sample" -bitexact -map 0:a -c:a $codec -af aresample -f $format -y "$(target_path "$file1")"
+ ffmpeg -i "$sample" -bitexact -map 0:a -c:a $codec -af aresample \
+ -f $format -y "$(target_path "$file1")" || return
probegaplessinfo "$(target_path "$file1")"
}
@@ -567,7 +579,7 @@ audio_match(){
decfile="${outdir}/${test}.wav"
cleanfiles="$cleanfiles $decfile"
- ffmpeg -auto_conversion_filters -i "$sample" -bitexact $extra_args -y $(target_path $decfile)
+ ffmpeg -auto_conversion_filters -i "$sample" -bitexact $extra_args -y $(target_path $decfile) || return
tests/audiomatch${HOSTEXECSUF} $decfile $trefile
}
--
2.34.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free
2024-02-18 15:10 [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free Andreas Rheinhardt
2024-02-18 15:10 ` [FFmpeg-devel] [PATCH 2/2] tests/fate-run: Do not ignore errors from intermediate commands Andreas Rheinhardt
@ 2024-02-18 16:57 ` Anton Khirnov
1 sibling, 0 replies; 3+ messages in thread
From: Anton Khirnov @ 2024-02-18 16:57 UTC (permalink / raw)
To: FFmpeg development discussions and patches; +Cc: Andreas Rheinhardt
Quoting Andreas Rheinhardt (2024-02-18 16:10:06)
> The filename is freed with the OptionsContext and therefore
> there will be a use-after-free when reporting the filename
> in print_stream_maps(). So create a copy of the string.
>
> This is a regression since 8aed3911fc454e79697e183660bf30d31334a64b.
> fate-lavf-mkv_attachment exhibits it (and reports a random nonsense
> filename here), but this does not make the test fail (not even with
> valgrind; only with ASAN, as it aborts on use-after-free).
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
> ---
> fftools/ffmpeg.h | 2 +-
> fftools/ffmpeg_mux.c | 2 ++
> fftools/ffmpeg_mux_init.c | 10 +++++++++-
> 3 files changed, 12 insertions(+), 2 deletions(-)
Ok
--
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-02-18 16:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-18 15:10 [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free Andreas Rheinhardt
2024-02-18 15:10 ` [FFmpeg-devel] [PATCH 2/2] tests/fate-run: Do not ignore errors from intermediate commands Andreas Rheinhardt
2024-02-18 16:57 ` [FFmpeg-devel] [PATCH 1/2] fftools/ffmpeg_mux_init: Fix attachment_filename use-after-free Anton Khirnov
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git