avfilter/avfiltergraph: Fix use-after-free when inserting auto-converter

When inserting an auto-resampler, it may be that the configuration of the filters that the auto-resampler is supposed to connect is already partially merged, i.e. converter->inputs[0].incfg.foo and converter->outputs[0].outcfg.foo (where foo is one of formats, samplerates, channel_layouts) can coincide. Therefore merging the converter filter's input link might modify the outcfg of the converter' outlink. Yet the current code in avfiltergraph.c used pointers from before merging the inlink for merging the outlink, leading to a use-after-free in command lines like: $ ffmpeg -f lavfi -i anullsrc=cl=stereo -lavfi channelsplit,axcorrelate -f null - Fix this by not using outdated values when merging the outlink. This is a regression since 85a6404d. Found-by: Paul B Mahol <onemda@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

avfilter/avfiltergraph: Fix use-after-free when inserting auto-converter
When inserting an auto-resampler, it may be that the configuration of the filters that the auto-resampler is supposed to connect is already partially merged, i.e. converter->inputs[0].incfg.foo and converter->outputs[0].outcfg.foo (where foo is one of formats, samplerates, channel_layouts) can coincide. Therefore merging the converter filter's input link might modify the outcfg of the converter' outlink. Yet the current code in avfiltergraph.c used pointers from before merging the inlink for merging the outlink, leading to a use-after-free in command lines like: $ ffmpeg -f lavfi -i anullsrc=cl=stereo -lavfi channelsplit,axcorrelate -f null - Fix this by not using outdated values when merging the outlink. This is a regression since 85a6404d. Found-by: Paul B Mahol <onemda@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
5e1dac38 · Andreas Rheinhardt · 4ff88406 · 5e1dac38
Commit 5e1dac38 authored Oct 08, 2021 by Andreas Rheinhardt
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 6 deletions

avfiltergraph.c libavfilter/avfiltergraph.c +5 -6

No files found.
--- a/libavfilter/avfiltergraph.c
+++ b/libavfilter/avfiltergraph.c
@@ -520,14 +520,13 @@ static int query_formats(AVFilterGraph *graph, void *log_ctx)
                    av_assert0(outlink-> incfg.channel_layouts->refcount > 0);
                    av_assert0(outlink->outcfg.channel_layouts->refcount > 0);
                }
+#define MERGE(merger, link)                                                  \
+    ((merger)->merge(FF_FIELD_AT(void *, (merger)->offset, (link)->incfg),   \
+                     FF_FIELD_AT(void *, (merger)->offset, (link)->outcfg)))
                for (neg_step = 0; neg_step < neg->nb_mergers; neg_step++) {
                    const AVFilterFormatsMerger *m = &neg->mergers[neg_step];
-                    void *ia = FF_FIELD_AT(void *, m->offset, inlink->incfg);
-                    void *ib = FF_FIELD_AT(void *, m->offset, inlink->outcfg);
-                    void *oa = FF_FIELD_AT(void *, m->offset, outlink->incfg);
-                    void *ob = FF_FIELD_AT(void *, m->offset, outlink->outcfg);
-                    if ((ret = m->merge(ia, ib)) <= 0 ||
-                        (ret = m->merge(oa, ob)) <= 0) {
+                    if ((ret = MERGE(m,  inlink)) <= 0 ||
+                        (ret = MERGE(m, outlink)) <= 0) {
                        if (ret < 0)
                            return ret;
                        av_log(log_ctx, AV_LOG_ERROR,