Overwrite cm->error->detail before freeing

Help detect use after free of the return value of
vpx_codec_error_detail(). If vpx_codec_error_detail() is called after
vpx_codec_encode() fails, the return value may be equal to
cm->error->detail, which is freed when vpx_codec_destroy() is called.

Document the lifetime of the string returned by
vpx_codec_error_detail().

Change-Id: I8089e90a4499b4f3cc5b9cfdbb25d72368faa319

diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
index 662ec24..f76eec2 100644 (file)
--- a/vp9/encoder/vp9_encoder.c
+++ b/vp9/encoder/vp9_encoder.c
@@ -12,6 +12,7 @@
 #include <math.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 
 #include "./vp9_rtcd.h"
 #include "./vpx_config.h"
@@ -2873,6 +2874,10 @@ void vp9_remove_compressor(VP9_COMP *cpi) {
 
   vp9_extrc_delete(&cpi->ext_ratectrl);
 
+  // Help detect use after free of the error detail string.
+  memset(cm->error.detail, 'A', sizeof(cm->error.detail) - 1);
+  cm->error.detail[sizeof(cm->error.detail) - 1] = '\0';
+
   vp9_remove_common(cm);
   vp9_free_ref_frame_buffers(cm->buffer_pool);
 #if CONFIG_VP9_POSTPROC

diff --git a/vpx/vpx_codec.h b/vpx/vpx_codec.h
index ca18d90..0d61b07 100644 (file)
--- a/vpx/vpx_codec.h
+++ b/vpx/vpx_codec.h
@@ -323,7 +323,9 @@ const char *vpx_codec_error(const vpx_codec_ctx_t *ctx);
 /*!\brief Retrieve detailed error information for codec context
  *
  * Returns a human readable string providing detailed information about
- * the last error.
+ * the last error. The returned string is only valid until the next
+ * vpx_codec_* function call (except vpx_codec_error and
+ * vpx_codec_error_detail) on the codec context.
  *
  * \param[in]    ctx     Pointer to this instance's context.
  *