[FFmpeg-devel] [PATCH] Fix mem leak interrupt during avformat_open_input

[Schenk, Michael]

Hi,

i agree on the MOV issue and i discovered a issue too in the OGGDEC.
please find attached a revised patch which solves potential crashes with MOV and OGG.

Cheers

Michael

________________________________________
From: ffmpeg-devel-bounces at ffmpeg.org <ffmpeg-devel-bounces at ffmpeg.org> on behalf of Michael Niedermayer <michaelni at gmx.at>
Sent: Saturday, April 5, 2014 5:33 PM
To: FFmpeg development discussions and patches
Subject: Re: [FFmpeg-devel] [PATCH] Fix mem leak interrupt during       avformat_open_input

On Thu, Apr 03, 2014 at 07:48:36AM +0000, Schenk, Michael wrote:
> Hi!,
>
> when using interrupt_callback during avformat_open_input(...) it may happen on certain demux that they
> leak memory because iformat->read_close() will not be called in the error path. The attached patch
> fix that.
>
> Feedback welcome.
>
> Cheers
>
> Michael

>  utils.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 0bd2d5039595099bb4b3733fea86c64f980b505a  fix_memleak_abort_avformat_open_input.patch
> --- ffmpeg-HEAD-fd2bcfc.org/libavformat/utils.c       2014-04-03 03:26:27.000000000 +0200
> +++ ffmpeg-HEAD-fd2bcfc/libavformat/utils.c   2014-04-03 09:32:07.393175139 +0200
> @@ -598,6 +598,13 @@
>  fail:
>      ff_id3v2_free_extra_meta(&id3v2_extra_meta);
>      av_dict_free(&tmp);
> +
> +     if (s->iformat) {
> +             if (s->iformat->read_close) {
> +                     s->iformat->read_close(s);
> +             }
> +     }

this crashes

example:
==505== Invalid read of size 8
==505==    at 0xD0AB4E: av_freep (mem.c:239)
==505==    by 0x562F80: mov_read_close (mov.c:3347)
==505==    by 0x610727: avformat_open_input (utils.c:604)
==505==    by 0x419748: open_input_file (ffmpeg_opt.c:844)
==505==    by 0x4216C4: open_files (ffmpeg_opt.c:2610)
==505==    by 0x421842: ffmpeg_parse_options (ffmpeg_opt.c:2647)
==505==    by 0x4344BF: main (ffmpeg.c:3717)
==505==  Address 0x8 is not stack'd, malloc'd or (recently) free'd


for this patch to be acceptable, as many as possible of the error
pathes that trigger this code would have to be tested
testing it with many fuzzed files would cover some of this ...

[...]

--
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

DNS cache poisoning attacks, popular search engine, Google internet authority
dont be evil, please
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_memleak_abort_avformat_open_input_v2.patch
Type: application/octet-stream
Size: 1300 bytes
Desc: fix_memleak_abort_avformat_open_input_v2.patch
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20140406/8c453004/attachment.obj>