[libav-bugs] [Bug 1068] New: Memory leak in avtools/avconv.c, at function ifilter_send_frame()

bugzilla at libav.org bugzilla at libav.org
Tue Jun 27 06:31:18 CEST 2017


https://bugzilla.libav.org/show_bug.cgi?id=1068

            Bug ID: 1068
           Summary: Memory leak in avtools/avconv.c, at function
                    ifilter_send_frame()
           Product: Libav
           Version: git HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: ---
         Component: utilities
          Assignee: bugzilla at libav.org
          Reporter: shqking at gmail.com

Created attachment 670
  --> https://bugzilla.libav.org/attachment.cgi?id=670&action=edit
one possible patch

Hello.

A memory leak is found in avtools/avconv.c, at function ifilter_send_frame().
(I got the source code from
https://github.com/libav/libav/blob/master/avtools/avconv.c#L1198)

The vulnerable code snippet is shown as below.
1226    /* (re)init the graph if possible, otherwise buffer the frame and
return */
1227    if (need_reinit || !fg->graph) {
1228        for (i = 0; i < fg->nb_inputs; i++) {
1229            if (fg->inputs[i]->format < 0) {
1230                AVFrame *tmp = av_frame_clone(frame);
1231                if (!tmp)
1231                    return AVERROR(ENOMEM);
1233                av_frame_unref(frame);
1234
1235                if (!av_fifo_space(ifilter->frame_queue)) {
1236                    ret = av_fifo_realloc2(ifilter->frame_queue, 2 *
av_fifo_size(ifilter->frame_queue));
1237                    if (ret < 0)
1238                        return ret;
1239                }
1240                av_fifo_generic_write(ifilter->frame_queue, &tmp,
sizeof(tmp), NULL);
1241                return 0;
1242            }
1243     }

An av frame 'tmp' is allocated at line 1230, but it is NOT properly free before
the function returns at line 1238.

Attached please find one possible patch I proposed.
Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20170627/1aa6ac55/attachment.html>


More information about the libav-bugs mailing list