Bug#750429: libva: use after free

[Sebastian Ramacher]

Source: libva
Version: 1.3.1-1
Severity: important
Tags: upstream

There is a use-after-free error in vaTerminate. valgrind reports the following
errors when running vainfo:

==31716== Invalid read of size 8
==31716==    at 0x4E38B49: va_TraceEnd (va_trace.c:236)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38BAD: va_TraceEnd (va_trace.c:257)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid read of size 8
==31716==    at 0x4E38307: va_FoolEnd (va_fool.c:143)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38374: va_FoolEnd (va_fool.c:159)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)

On Ubuntu this causes SIGSEVs as reported in
https://bugs.launchpad.net/ubuntu/+source/libva/+bug/1325873.

Cheers
-- 
Sebastian Ramacher

signature.asc
Description: Digital signature