subject:"\[FFmpeg\-trac\] #7084\(avfilter\:new\)\: Memory leak in libavfilter\/graphparser.c"

Re: [FFmpeg-trac] #7084(avfilter:new): Memory leak in libavfilter/graphparser.c

2018-03-14 Thread FFmpeg

#7084: Memory leak in libavfilter/graphparser.c
-+
 Reporter:  Kira |Owner:
 Type:  defect   |   Status:  new
 Priority:  normal   |Component:  avfilter
  Version:  unspecified  |   Resolution:
 Keywords:  leak |   Blocked By:
 Blocking:   |  Reproduced by developer:  0
Analyzed by developer:  0|
-+

Comment (by Kira):

 Replying to [comment:1 cehoyos]:
 > {{{
 > // reference: doc/examples/filtering_video.c
 > }}}
 > What is unclear about the first 13 lines of that file?
 >
 > Do you know why the issue is not reproducible with `ffmpeg`?
 I found that `ffmpeg` use `avfilter_graph_parse2` rather than
 `avfilter_graph_parse_ptr`. I think it's because of the different behavior
 between `avfilter_graph_parse2` and `avfilter_graph_parse_ptr`.

--
Ticket URL: 
FFmpeg 
FFmpeg issue tracker
___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-trac

Re: [FFmpeg-trac] #7084(avfilter:new): Memory leak in libavfilter/graphparser.c

2018-03-13 Thread FFmpeg

#7084: Memory leak in libavfilter/graphparser.c
-+
 Reporter:  Kira |Owner:
 Type:  defect   |   Status:  new
 Priority:  normal   |Component:  avfilter
  Version:  unspecified  |   Resolution:
 Keywords:  leak |   Blocked By:
 Blocking:   |  Reproduced by developer:  0
Analyzed by developer:  0|
-+

Comment (by Kira):

 I'm terribly sorry about the copyright problem. I'm not a professional
 software developer, so I'm not familiar with the LICENSE stuff. Please
 forgive me about it. If anyone can help me make up for the problem I will
 be very grateful.
 Back to the bug, actually the bug is found during my fuzz. I fuzz the
 second parameter of `avfilter_graph_parse_ptr` which is `filters_descr`. I
 found the leak when `filters_descr` is an invalid value "spectrumsynth".
 The key point is to trigger the error in function `link_filter`. I don't
 know how `ffmpeg` resolves the input. But I think the problem is still
 there. If you really need to reproduce it with `ffmpeg`, maybe I will
 spend a lot of time on it...

--
Ticket URL: 
FFmpeg 
FFmpeg issue tracker
___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-trac

[FFmpeg-trac] #7084(avfilter:new): Memory leak in libavfilter/graphparser.c

2018-03-13 Thread FFmpeg

#7084: Memory leak in libavfilter/graphparser.c
-+-
 Reporter:  Kira | Type:  defect
   Status:  new  | Priority:  normal
Component:  avfilter |  Version:
 Keywords:  memory   |  unspecified
  leak, parse_outputs|   Blocked By:
 Blocking:   |  Reproduced by developer:  0
Analyzed by developer:  0|
-+-
 parse_outputs from libavfilter/graphparser.c
 {{{
 #!div style="font-size: 80%"
   {{{#!C
  static int parse_outputs(const char **buf, AVFilterInOut **curr_inputs,
  AVFilterInOut **open_inputs,
  AVFilterInOut **open_outputs, void *log_ctx)
 {
 int ret, pad = 0;

 while (**buf == '[') {
 char *name = parse_link_name(buf, log_ctx);
 AVFilterInOut *match;

 AVFilterInOut *input = *curr_inputs;

 if (!name)
 return AVERROR(EINVAL);

 if (!input) {
 av_log(log_ctx, AV_LOG_ERROR,
"No output pad can be associated to link label
 '%s'.\n", name);
 av_free(name);
 return AVERROR(EINVAL);
 }
 *curr_inputs = (*curr_inputs)->next;

 /* First check if the label is not in the open_inputs list */
 match = extract_inout(name, open_inputs);

 if (match) {
 if ((ret = link_filter(input->filter_ctx, input->pad_idx,
match->filter_ctx, match->pad_idx,
 log_ctx)) < 0) {
 av_free(name);
 return ret;
 }
 av_freep(>name);
 av_freep();
 av_freep();
 av_freep();
 } else {
 /* Not in the list, so add the first input as an open_output
 */
 input->name = name;
 insert_inout(open_outputs, input);
 }
 *buf += strspn(*buf, WHITESPACES);
 pad++;
 }

 return pad;
 }
   }}}
 }}}
 line 361:
 match = extract_inout(name, open_inputs);
 Extract a node from the linked list open_inputs, the origin linked list
 changed here.
 extract_inout from libavfilter/graphparser.c
 {{{
 #!div style="font-size: 80%"
   {{{#!C
 static AVFilterInOut *extract_inout(const char *label, AVFilterInOut
 **links)
 {
 AVFilterInOut *ret;

 // find the first node whose name is same as label.
 while (*links && (!(*links)->name || strcmp((*links)->name, label)))
 links = &((*links)->next);

 ret = *links;

 if (ret) {  // off the chain
 *links = ret->next;
 ret->next = NULL;
 }

 return ret;
 }
   }}}
 }}}

 If the match found, we enter here.
 {{{
 #!div style="font-size: 80%"
   {{{#!C
 if (match) {
 if ((ret = link_filter(input->filter_ctx, input->pad_idx,
match->filter_ctx, match->pad_idx,
 log_ctx)) < 0) {
 av_free(name);
 return ret;
 }
 av_freep(>name);
 av_freep();
 av_freep();
 av_freep();
 }
   }}}
 }}}

 If the link_filter call fails, the variable match will never be freed!

 So the memory leak happens here.

 Compile the leak_poc.c

 Run it and use htop or something else to monitor the memory consumption of
 the process. You will see the leak.

--
Ticket URL: 
FFmpeg 
FFmpeg issue tracker
___
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-trac

Re: [FFmpeg-trac] #7084(avfilter:new): Memory leak in libavfilter/graphparser.c

Re: [FFmpeg-trac] #7084(avfilter:new): Memory leak in libavfilter/graphparser.c

[FFmpeg-trac] #7084(avfilter:new): Memory leak in libavfilter/graphparser.c

3 matches

Site Navigation

Mail list logo

Footer information