From: Wan-Teh Chang Date: Fri, 24 Mar 2023 18:32:36 +0000 (-0700) Subject: Overwrite cm->error->detail before freeing X-Git-Tag: accepted/tizen/7.0/unified/20240521.012539~1^2~182^2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3d6b86e7045481c55b35d0daa4f19202bbe99dc1;p=platform%2Fupstream%2Flibvpx.git Overwrite cm->error->detail before freeing Help detect use after free of the return value of vpx_codec_error_detail(). If vpx_codec_error_detail() is called after vpx_codec_encode() fails, the return value may be equal to cm->error->detail, which is freed when vpx_codec_destroy() is called. Document the lifetime of the string returned by vpx_codec_error_detail(). Change-Id: I8089e90a4499b4f3cc5b9cfdbb25d72368faa319 --- diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c index 662ec24..f76eec2 100644 --- a/vp9/encoder/vp9_encoder.c +++ b/vp9/encoder/vp9_encoder.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "./vp9_rtcd.h" #include "./vpx_config.h" @@ -2873,6 +2874,10 @@ void vp9_remove_compressor(VP9_COMP *cpi) { vp9_extrc_delete(&cpi->ext_ratectrl); + // Help detect use after free of the error detail string. + memset(cm->error.detail, 'A', sizeof(cm->error.detail) - 1); + cm->error.detail[sizeof(cm->error.detail) - 1] = '\0'; + vp9_remove_common(cm); vp9_free_ref_frame_buffers(cm->buffer_pool); #if CONFIG_VP9_POSTPROC diff --git a/vpx/vpx_codec.h b/vpx/vpx_codec.h index ca18d90..0d61b07 100644 --- a/vpx/vpx_codec.h +++ b/vpx/vpx_codec.h @@ -323,7 +323,9 @@ const char *vpx_codec_error(const vpx_codec_ctx_t *ctx); /*!\brief Retrieve detailed error information for codec context * * Returns a human readable string providing detailed information about - * the last error. + * the last error. The returned string is only valid until the next + * vpx_codec_* function call (except vpx_codec_error and + * vpx_codec_error_detail) on the codec context. * * \param[in] ctx Pointer to this instance's context. *