[libav-bugs] [Bug 1176] New: Memory leak in function qsv_decode_close in libavcodec/qsvdec_h2645.c

bugzilla at libav.org bugzilla at libav.org
Mon Oct 7 10:54:52 CEST 2019


https://bugzilla.libav.org/show_bug.cgi?id=1176

            Bug ID: 1176
           Summary: Memory leak in function qsv_decode_close in
                    libavcodec/qsvdec_h2645.c
           Product: Libav
           Version: git HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: yangx92 at hotmail.com

Hi, 

There is a memory leak vulnerability in function qsv_decode_close in
libavcodec/qsvdec_h2645.c.


static av_cold int qsv_decode_close(AVCodecContext *avctx)
{
    QSVH2645Context *s = avctx->priv_data;

    ff_qsv_decode_close(&s->qsv);

    qsv_clear_buffers(s);

    av_fifo_free(s->packet_fifo);

    return 0;
}

static av_cold int qsv_decode_init(AVCodecContext *avctx)
{
    QSVH2645Context *s = avctx->priv_data;
    int ret;

    if (avctx->codec_id == AV_CODEC_ID_HEVC && s->load_plugin !=
LOAD_PLUGIN_NONE) {
        static const char * const uid_hevcdec_sw =
"15dd936825ad475ea34e35f3f54217a6";
        static const char * const uid_hevcdec_hw =
"33a61c0b4c27454ca8d85dde757c6f8e";

        if (s->qsv.load_plugins[0]) {
            av_log(avctx, AV_LOG_WARNING,
                   "load_plugins is not empty, but load_plugin is not set to
'none'."
                   "The load_plugin value will be ignored.\n");
        } else {
            av_freep(&s->qsv.load_plugins);

            if (s->load_plugin == LOAD_PLUGIN_HEVC_SW)
                s->qsv.load_plugins = av_strdup(uid_hevcdec_sw);
            else
                s->qsv.load_plugins = av_strdup(uid_hevcdec_hw);
            if (!s->qsv.load_plugins)
                return AVERROR(ENOMEM);
        }
    }
    ...
}

As we can see in the function qsv_decode_init, when the condition
avctx->codec_id == AV_CODEC_ID_HEVC && s->load_plugin != LOAD_PLUGIN_NONE and
!(s->qsv.load_plugins[0]) satisfies, s->qsv.load_plugins is assigned by calling
function av_strdup.

However, s->qsv.load_plugins is not freed in function qsv_decode_close.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20191007/cb4d2b54/attachment.html>


More information about the libav-bugs mailing list