Issue 1837 in webm: A potential crash in vpx_free_tpl_gop_stats
450 views
Skip to first unread message
promp… via monorail
Jan 8, 2024, 6:17:10 AMJan 8
to webm-d...@webmproject.org
Status: Unconfirmed
Owner: ----
New issue 1837 by promp...@gmail.com: A potential crash in vpx_free_tpl_gop_stats
https://bugs.chromium.org/p/webm/issues/detail?id=1837
Dear Team,
I have identified a common coding pattern that could potentially cause a crash. The pattern is as follows:
```
VpxTplGopStats tpl_gop_stats;
vpx_read_tpl_gop_stats(tpl_file, &tpl_gop_stats); // initializes tpl_gop_stats->size
vpx_free_tpl_gop_stats(&tpl_gop_stats);
```
Upon examining the body of the function `vpx_read_tpl_gop_stats`, I noticed that if the allocation of `tpl_gop_stats->frame_stats_list` fails, it returns an ERROR while leaving `tpl_gop_stats->size` as initialized. Consequently, the following call to `vpx_free_tpl_gop_stats()` could result in a crash due to NULL pointer access of `tpl_gop_stats->frame_stats_list`.
Here is the relevant part of the `vpx_read_tpl_gop_stats` function:
```
vpx_codec_err_t vpx_read_tpl_gop_stats(FILE *tpl_file,
VpxTplGopStats *tpl_gop_stats) {
...
tpl_gop_stats->size = frame_list_size;
tpl_gop_stats->frame_stats_list = (VpxTplFrameStats *)vpx_calloc(
frame_list_size, sizeof(tpl_gop_stats->frame_stats_list[0]));
if (tpl_gop_stats->frame_stats_list == NULL) {
return VPX_CODEC_MEM_ERROR;
}
```
Although a check of the return value of `vpx_read_tpl_gop_stats` could prevent this crash, I believe that our code should be more robust and general to avoid such issues. I am open to suggestions and discussions on how we can improve this.
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Owner: ----
New issue 1837 by promp...@gmail.com: A potential crash in vpx_free_tpl_gop_stats
https://bugs.chromium.org/p/webm/issues/detail?id=1837
Dear Team,
I have identified a common coding pattern that could potentially cause a crash. The pattern is as follows:
```
VpxTplGopStats tpl_gop_stats;
vpx_read_tpl_gop_stats(tpl_file, &tpl_gop_stats); // initializes tpl_gop_stats->size
vpx_free_tpl_gop_stats(&tpl_gop_stats);
```
Upon examining the body of the function `vpx_read_tpl_gop_stats`, I noticed that if the allocation of `tpl_gop_stats->frame_stats_list` fails, it returns an ERROR while leaving `tpl_gop_stats->size` as initialized. Consequently, the following call to `vpx_free_tpl_gop_stats()` could result in a crash due to NULL pointer access of `tpl_gop_stats->frame_stats_list`.
Here is the relevant part of the `vpx_read_tpl_gop_stats` function:
```
vpx_codec_err_t vpx_read_tpl_gop_stats(FILE *tpl_file,
VpxTplGopStats *tpl_gop_stats) {
...
tpl_gop_stats->size = frame_list_size;
tpl_gop_stats->frame_stats_list = (VpxTplFrameStats *)vpx_calloc(
frame_list_size, sizeof(tpl_gop_stats->frame_stats_list[0]));
if (tpl_gop_stats->frame_stats_list == NULL) {
return VPX_CODEC_MEM_ERROR;
}
```
Although a check of the return value of `vpx_read_tpl_gop_stats` could prevent this crash, I believe that our code should be more robust and general to avoid such issues. I am open to suggestions and discussions on how we can improve this.
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
jz… via monorail
Jan 8, 2024, 2:37:14 PMJan 8
to webm-d...@webmproject.org
Updates:
Components: libvpx
Owner: ji...@google.com
Status: Assigned
Comment #1 on issue 1837 by jz...@google.com: A potential crash in vpx_free_tpl_gop_stats
https://bugs.chromium.org/p/webm/issues/detail?id=1837#c1
(No comment was entered for this change.)
Components: libvpx
Owner: ji...@google.com
Status: Assigned
Comment #1 on issue 1837 by jz...@google.com: A potential crash in vpx_free_tpl_gop_stats
https://bugs.chromium.org/p/webm/issues/detail?id=1837#c1
(No comment was entered for this change.)
Reply all
Reply to author
Forward
0 new messages