From 3d6b86e7045481c55b35d0daa4f19202bbe99dc1 Mon Sep 17 00:00:00 2001 From: Wan-Teh Chang Date: Fri, 24 Mar 2023 11:32:36 -0700 Subject: Overwrite cm->error->detail before freeing Help detect use after free of the return value of vpx_codec_error_detail(). If vpx_codec_error_detail() is called after vpx_codec_encode() fails, the return value may be equal to cm->error->detail, which is freed when vpx_codec_destroy() is called. Document the lifetime of the string returned by vpx_codec_error_detail(). Change-Id: I8089e90a4499b4f3cc5b9cfdbb25d72368faa319 --- vp9/encoder/vp9_encoder.c | 5 +++++ vpx/vpx_codec.h | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c index 662ec24b8..f76eec2b5 100644 --- a/vp9/encoder/vp9_encoder.c +++ b/vp9/encoder/vp9_encoder.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "./vp9_rtcd.h" #include "./vpx_config.h" @@ -2873,6 +2874,10 @@ void vp9_remove_compressor(VP9_COMP *cpi) { vp9_extrc_delete(&cpi->ext_ratectrl); + // Help detect use after free of the error detail string. + memset(cm->error.detail, 'A', sizeof(cm->error.detail) - 1); + cm->error.detail[sizeof(cm->error.detail) - 1] = '\0'; + vp9_remove_common(cm); vp9_free_ref_frame_buffers(cm->buffer_pool); #if CONFIG_VP9_POSTPROC diff --git a/vpx/vpx_codec.h b/vpx/vpx_codec.h index ca18d90cb..0d61b0738 100644 --- a/vpx/vpx_codec.h +++ b/vpx/vpx_codec.h @@ -323,7 +323,9 @@ const char *vpx_codec_error(const vpx_codec_ctx_t *ctx); /*!\brief Retrieve detailed error information for codec context * * Returns a human readable string providing detailed information about - * the last error. + * the last error. The returned string is only valid until the next + * vpx_codec_* function call (except vpx_codec_error and + * vpx_codec_error_detail) on the codec context. * * \param[in] ctx Pointer to this instance's context. * -- cgit v1.2.1