From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 710904CA1D for ; Mon, 10 Feb 2025 16:34:51 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EE8B868BDCC; Mon, 10 Feb 2025 18:34:47 +0200 (EET) Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02olkn2044.outbound.protection.outlook.com [40.92.49.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 88E7468BCFE for ; Mon, 10 Feb 2025 18:34:41 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YDA4CbFgSbocKbZkKsFbfxV3KA5lzW1uwGC5WmTwuQcD/vLezMWp4vwWO0jvjJQKyrGGPGWP2kh8iX2PRzUBRZhdrZNscbuLeir9qwClejHrh4jzOst5dCM/NvZo1F+1gepyeadD3yUvW9sP2EG8/fOFD6HenNrAjIMWQyv4M9ueJjRd5KBFnUBLtI0BPUkB7KCbgL6vRt8zAoa2k8YXCZVncei9fCdqyKsFMdT3F8/kv4PGEYaIvWc9QozozT7eWB7lQ2MbB/bORazKipznkqV4Fc/UL4m8ZD7ueL8awB52igpOInaybOHlzWpaLvJXqHQ3U0j1mcG4TYFKEqWjBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B/UNP4c/O3UX6srbgdwi0oPJCv0XYrb8gHL4YF6KwoE=; b=vw+Iev3u9ld1e84GxA3josJ0Mcyp8/AZOc8YtduiKhNsagbyeianWGzSTEtBVto4HPtzUjfMFvTEP2BfN9NR6hpKuPM6CUxdv4l6YAKjeSt6pKZfue0zoFonMSYjxys9We1v9au0GXl3ElFV3LVWimRKnwW2Zz3foMOVmMMBAen3oBasBokbzJIfPkCtx5y4U48VnO73CVc5Bym1WljJesAX0Az6BYMqcR+Na/BXT/Y5eM5yMlVA7AmmPfsVnt3PjrkEOH4qD49JkITW8FgM69P72m0ew88sgJs3BuIxGj/LbEk2c4qygZCkXYwUx4adr9OnyIpX89Q5Usw7Hq0ZWQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B/UNP4c/O3UX6srbgdwi0oPJCv0XYrb8gHL4YF6KwoE=; b=bG1cEM9K7NP57w97YwTJqF6oOgi2YoncKS/bGl90I4ZyBnwdzMmwc7N/5nXvjqoVyBHf1JV+s73Rsa92XzekJ44W+2mMtk3+t9xFtsvAdNLkgaC+EYe0xdXZuR80D8QgfRuPEZ8N5K4bgA9qQIqeZvWTyoKOAue+j6DNRLLhEbVyiB2m/VaEcfC8mShF3HTeIn4RjQClmx0XIDc1WUNAwSxFh/SZaYxkPO31589pvxBosaMHrfFFqWFZXi17G7E6piVYV/RrPkL3jfYy2KDDwAbNiPJu6ns4+PmukE8z7noppb2ft32HKe+88/8qStVjtOv4bHo8SqrHW+7sJEOBow== Received: from DU0P250MB0747.EURP250.PROD.OUTLOOK.COM (2603:10a6:10:3cb::16) by AM8P250MB0012.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:3db::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8422.18; Mon, 10 Feb 2025 16:34:40 +0000 Received: from DU0P250MB0747.EURP250.PROD.OUTLOOK.COM ([fe80::1f36:56b3:1d04:c7a6]) by DU0P250MB0747.EURP250.PROD.OUTLOOK.COM ([fe80::1f36:56b3:1d04:c7a6%5]) with mapi id 15.20.8422.015; Mon, 10 Feb 2025 16:34:40 +0000 Message-ID: Date: Mon, 10 Feb 2025 17:34:38 +0100 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20250209022421.2346210-1-michael@niedermayer.cc> <20250209022421.2346210-3-michael@niedermayer.cc> Content-Language: en-US From: Andreas Rheinhardt In-Reply-To: <20250209022421.2346210-3-michael@niedermayer.cc> X-ClientProxiedBy: ZR2P278CA0023.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:46::18) To DU0P250MB0747.EURP250.PROD.OUTLOOK.COM (2603:10a6:10:3cb::16) X-Microsoft-Original-Message-ID: <379582b4-7b85-4f5a-8607-e01f01a48aba@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0P250MB0747:EE_|AM8P250MB0012:EE_ X-MS-Office365-Filtering-Correlation-Id: 1e068d9b-4899-41bb-fad8-08dd49f0d0a8 X-Microsoft-Antispam: BCL:0; ARA:14566002|461199028|6090799003|19110799003|15080799006|8060799006|7092599003|5072599009|10035399004|3412199025|440099028|12091999003|41001999003; X-Microsoft-Antispam-Message-Info: =?utf-8?B?NDIxZ0U5Vkk5SnZ3enN5MnovSGFTTE5pQy9uajR2NUxWMmEya3NGY0NGT2xt?= =?utf-8?B?NEdnL3ZpakkzSkhUcS92TmdaYmtvZmNjQTc0cFZVV3JKZ2tEZ3ZncHZYbWty?= =?utf-8?B?SXVxRFcyRlZjYnJUSFg3OEhTalVMWUcrQnhsYXYwc0cwd2IwQ3N6T0FlV1NW?= =?utf-8?B?MHJXOUhGWlZaWEdrdHZWOEp4bmtpb3orbHV1NkJGbDNwMmxuZ2FHNUpkR2Yy?= =?utf-8?B?a1dlRmlwd0Jrd3l3VDNHbnJ5Q2J1eExCVUlidUl6ZEJad1lQbDZVN0tlY3VK?= =?utf-8?B?ZW5lajZqRThsMWllWTcxWlVubDVVUllCQW05RTNNVEhQVVI0QktMZUk2Zk4r?= =?utf-8?B?RnViWEhwNkZIWWdkVEp6b0NhdmplTzNFSnpoZ3ZubytRT015Wi9OYnFoQXR5?= =?utf-8?B?ellFb21iTUtKalUrUlhlN0czeDZqenQ0aGp2UzhQRjlKdHN3WUFLNUQydXFJ?= =?utf-8?B?ZkhFU0djTnIvNkx4bmxMUjNlTWYxbGV0M0RSV052RUhJR1VuMURpUFEvNjJ5?= =?utf-8?B?d3YwWUZjT3JiVE9kSnFzbmJYVXhrc1RXdzhHZDJ6OHFpNll4MUI1NWgxTFNm?= =?utf-8?B?dTFtR3hZSFBGNVFQTm44QzVNTFVwelNIb05tQkIzN1NtQ0RCUW50NUZQOU9q?= =?utf-8?B?a3pKSlZZVnc4akkyQ3V6ZGxnSGo3U0xLdzY5Q2c0N1ZSdHNMWDFKa0JFY00r?= =?utf-8?B?UjBNZ0h2QTVOa0JnbnE3QkVuQ3o4WHI4U1dBNndoWnF3OFhreUlmU1dzRXZv?= =?utf-8?B?OHZLUm9keDVWcE9ubUw5RmphY1RtOFVRQlp6MVNSa09VZE1tK2pTVG1mMU9v?= =?utf-8?B?dERMejdISC93OGhpb3hvOTZ1L0laQTN6OWs4NWRsQ2krOW5LN1d6SUhVRStC?= =?utf-8?B?SWJndHgwY0NIOEVNbE1OTk94S0tFd2pEUitNSWZVaGJ0RkU3U0FJTTdmNU9C?= =?utf-8?B?cXM3cFlOa0huQ0hodnErMzRpWDlsOEc4YzdkZHJyZE1rRWx5QzgrRmRYU2Q0?= =?utf-8?B?V2ZodlJWSVZOS3Y1NDBzcGlzRWlDWmY2Qk5ERGRaS2owZE81aFk3ZmF4eW8y?= =?utf-8?B?RFJrTks0WUxMOGZRYjdDWXFtQllEM0tqb3p6M2F4VWlMd3VKWE1iTWFOUFA5?= =?utf-8?B?SVJldUFqc0lIOHR2V0tXZFQ3NGwzRjV0dThTV0lsZkFBaEZ3bm9aSUV6ZFZy?= =?utf-8?B?czlYOFRtVFpnNDYvTzl1cWg2SmRyUmRuci9SNC9WOUhBR3QzWGxBRmNIZ29C?= =?utf-8?B?bGUyZHBjU1FVWWF4Y1dZVHlyMERWWmR4blRnQ0lLQnBueUE4b3draUdGcDNL?= =?utf-8?B?dmpvQTNhNnJWYytQcUd2ZXgvTmtkU3BPWUcyUXBDSEI2WUMxRVA4N3RTVFJ0?= =?utf-8?B?TGFHTHByZWh3ZWd5T3FmbjJGamU4L0JQK2tWMGxGYzRHT1lSUFRibzBOeDBS?= =?utf-8?B?eFhJR015STVCOStqQXk5ZWFiK3NGUWFOOFk5MDhxbUZadnVZMGZ6ZklLdUVS?= =?utf-8?B?RFVEWWcreFJWdUZDTXBOYWVBV2ozcVVqMVAvOE1hR3pRRFVVYUxCTFB4cnJE?= =?utf-8?B?ZHpucjJUT0NsRVE4SWttTWw2U21mR2J3Q1ZVeXJra1dXbXRubXA5ekZVM3c2?= =?utf-8?Q?D0n9l6BufQmwsS6GjPQnnau0763EPRQyAhpFIpt2mUfI=3D?= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?NzRjN1FpNXQ3ZW9PQ0Y5c1Uxc3lySnhRTjF3S2Y4SzJPdldNUjhqUzVld1Vl?= =?utf-8?B?MEVnay80Z2N3UFRiVDVmR0tDaks4S25RQkJpNjhOSjhoTms5VXhHNWc1cXpW?= =?utf-8?B?Y3dmTUNzek83anpReUVobUZEbC9remVtRFNMdk91clZ6emVJZm95L3N5TTlx?= =?utf-8?B?SStYYkN5b0R1RDVCeEJxazUxY0E4cHRvN2d4OVE3eXpUN01iekNlUmEzVU9h?= =?utf-8?B?dkxoNmx5NUZHSmVXTDE0REtVYjlXcHBBL3JMMnlMa2pLdnZQM25vT1ZtNHNL?= =?utf-8?B?QVlKanJRR2Q4dHkrWnB2bWJGcXk1eGpHbitNcHlKSkJZUzFyOGM2RmpzbW92?= =?utf-8?B?bklWQ294REc0clh5Q2JselpUbzBiUHZwU1dOSlpDNmptMmN5OHRKMGpUVkY0?= =?utf-8?B?UkhUd1lmVUF6eG90aDROc2FaZU9xZ1VaVUhsZU82L2VJeGgyR0hKOGpzaDRo?= =?utf-8?B?aHEyQWVDMmxCVzh5enZjZVVpNXpKZjBBcnFQZExnQmdTRzZCN2ltZndIZW55?= =?utf-8?B?TThmUHVhZEo5S0NKN3FzZHhxTEpVUXFsL1BNdk1MUjhiM3ovU2MyWk5UKy9w?= =?utf-8?B?VmVaajhlRnpjVWY2NXliQ2pKMCtSNHdBWkVXcE5ZQ05CdE0zR0ppRkZXQ1hU?= =?utf-8?B?bEZBWmdGUFVUTjJJNWdKQ0pWYXNDeWNLNEpYbllNM0MwL2tZWitIdzJTSWVJ?= =?utf-8?B?OWRkbmxGdWlqR1BodkJWTHpiV21lcVJabjYvSWh5SGxudzl3TlZRZGdHNnhG?= =?utf-8?B?bjFCY1MxS3dzYkhsTzE0TGJGMU1JTndiSGMxOVRzU3d0aHFNUC83c0NBVXFY?= =?utf-8?B?VFBmVVQvbzBnbzd2V1hackJrVnRNWnBuYktCMU4wYU5wT1RPWmw2NzRuRUZT?= =?utf-8?B?M2xacFRHNUtVREoyOUR3VnJVdXZqVGdwQVNzNWxSTkpjcC9jaHJySHdwK0Iz?= =?utf-8?B?TDhqUFFCd0VBeWtsM0dPK2ZwWkZDQXVyYmt4Y0l0V25Sc29XZVczdEhMTjIw?= =?utf-8?B?S3JwdnVGbG96K0FKdnh0aW84eXIyWGFTcHpTMlZRdk1pL2dsUUlVTEE3d05W?= =?utf-8?B?OTZOc2lUVDNuaXV6UHlvajVLOEtGclorblo5TmIrdDMrYXZrK0dYRUhrUXVp?= =?utf-8?B?VVpRd3I3VGkzQWszb3Rzck9zOUEweVArQU9jL3EwZFVuM3loNlBzSHUzYjZ5?= =?utf-8?B?bG5pTlVaOEtaL1hpZThWWG10c2xEanFSSUNjVmhsSzY4Uy9SNzQ5RDZCQy9Z?= =?utf-8?B?NDZNM2ZjTVhvL21lUXJnNHBwMkdLT2dZdmcxbExDL0RPbDNpMjZicGhuaC8v?= =?utf-8?B?bzNaa3JBS3U5V2lIWEptbUJ1L3lEVlovT2FiNjF1N0hkZHl1V05SRVBVZWJR?= =?utf-8?B?K1FUYm9ndUZScGwyQmpqZmZIUmswbVp0ai84VFZOaUNHWndtYU1xV201aFl6?= =?utf-8?B?OGtIZE01NHRwQThOOFpEWDVsRFUvMmhLeFpGZk9vTzBveDR6K0w2bDVud2wy?= =?utf-8?B?T0twR3M0clV3aitWU3N1dEZLV3JBcFhXYUprcnFhM0huTUN0OWpkVFdwRmRp?= =?utf-8?B?SmhuRzdOdUtIbGxycVZYTjFBWFhoM0FUZk4xbU4xS1ZMRUNPMHdsYWtRUmtL?= =?utf-8?B?OWZLT3BqRGI4bk5LbEQ1cFVDYldOOGE1VnhsOC93UTdlZkt5UzRyWlArUXVo?= =?utf-8?B?Z1Z0VVkwL2R5U2ZPTVJMMm03a0doK2ErczErZmtoRjBzWVFOSUlyVzh3PT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1e068d9b-4899-41bb-fad8-08dd49f0d0a8 X-MS-Exchange-CrossTenant-AuthSource: DU0P250MB0747.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Feb 2025 16:34:40.2221 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P250MB0012 Subject: Re: [FFmpeg-devel] [PATCH 3/6] avcodec/aac/aacdec_usac: Fix memory deallocation of pl_data X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > Fixes: double free > Fixes: 393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6740617236905984 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/aac/aacdec.c | 19 +++++++++++++++++-- > libavcodec/aac/aacdec_usac.c | 3 ++- > 2 files changed, 19 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c > index 8d50ad6d095..16259b5ada9 100644 > --- a/libavcodec/aac/aacdec.c > +++ b/libavcodec/aac/aacdec.c > @@ -421,6 +421,21 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) > return layout; > } > > +static void copy_oc(OutputConfiguration *dst, OutputConfiguration *src) > +{ > + int err = 0; Seems unused. > + > + for(int i = 0; i < dst->usac.nb_elems; i++) > + av_freep(&dst->usac.elems[i].ext.pl_data); > + > + *dst = *src; > + > + for(int i = 0; i < dst->usac.nb_elems; i++) { > + AACUsacElemConfig *e = &dst->usac.elems[i]; > + e->ext.pl_data = av_memdup(e->ext.pl_data, e->ext.pl_data_offset); Unchecked allocation. Furthermore, the *dst = *src makes cleanup on error here a PITA. Would making pl_data reference-counted (via RefStruct) work instead? > + } > +} > + > /** > * Save current output configuration if and only if it has been locked. > */ > @@ -429,7 +444,7 @@ static int push_output_configuration(AACDecContext *ac) > int pushed = 0; > > if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { > - ac->oc[0] = ac->oc[1]; > + copy_oc(&ac->oc[0], &ac->oc[1]); > pushed = 1; > } > ac->oc[1].status = OC_NONE; > @@ -443,7 +458,7 @@ static int push_output_configuration(AACDecContext *ac) > static void pop_output_configuration(AACDecContext *ac) > { > if (ac->oc[1].status != OC_LOCKED && ac->oc[0].status != OC_NONE) { > - ac->oc[1] = ac->oc[0]; > + copy_oc(&ac->oc[1], &ac->oc[0]); > ac->avctx->ch_layout = ac->oc[1].ch_layout; > ff_aac_output_configure(ac, ac->oc[1].layout_map, ac->oc[1].layout_map_tags, > ac->oc[1].status, 0); > diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c > index ccdf58bc8e2..e6f86b4a677 100644 > --- a/libavcodec/aac/aacdec_usac.c > +++ b/libavcodec/aac/aacdec_usac.c > @@ -1604,7 +1604,8 @@ static int parse_ext_ele(AACDecContext *ac, AACUsacElemConfig *e, > if (!(pl_frag_start && pl_frag_end)) { > tmp = av_realloc(e->ext.pl_data, e->ext.pl_data_offset + len); > if (!tmp) { > - av_free(e->ext.pl_data); > + av_freep(&e->ext.pl_data); > + e->ext.pl_data_offset = 0; > return AVERROR(ENOMEM); > } > e->ext.pl_data = tmp; _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".