Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

avifMetaDestroy: check meta pointer before accessing #2065

Merged
merged 4 commits into from
Mar 19, 2024
Merged

avifMetaDestroy: check meta pointer before accessing #2065

merged 4 commits into from
Mar 19, 2024

Conversation

jzern
Copy link
Collaborator

@jzern jzern commented Mar 18, 2024

fixes a NULL dereference should avifMetaCreate() fail and
avifDecoderDataDestroy() is called to clean up.

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).

@jzern
avifMetaDestroy: check meta pointer before accessing
0bb3916 
fixes a NULL dereference should avifMetaCreate() fail and
avifDecoderDataDestroy() is called to clean up.

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
@jzern jzern requested review from wantehchang and y-guyon March 18, 2024 21:17
wantehchang
wantehchang reviewed Mar 18, 2024
View reviewed changes
Copy link
Collaborator

@wantehchang wantehchang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix. I suggest two changes.

src/read.c Outdated
@@ -760,6 +760,10 @@ static avifMeta * avifMetaCreate()

static void avifMetaDestroy(avifMeta * meta)
{
if (meta == NULL) {
return;
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: The current style in src/read.c is to have the caller handle this. For example, see the second avifMetaDestroy() call in avifDecoderDataDestroy():

static void avifDecoderDataDestroy(avifDecoderData * data)
{
    avifMetaDestroy(data->meta);
    for (uint32_t i = 0; i < data->tracks.count; ++i) {
        avifTrack * track = &data->tracks.track[i];
        if (track->sampleTable) {
            avifSampleTableDestroy(track->sampleTable);
        }
        if (track->meta) {
            avifMetaDestroy(track->meta);
        }
    }
    avifArrayDestroy(&data->tracks);
    avifDecoderDataClearTiles(data);
    avifArrayDestroy(&data->tiles);
    avifFree(data);
}

So I suggest adding a similar null pointer check to the first avifMetaDestroy() call in avifDecoderDataDestroy().

    if (data->meta) {
        avifMetaDestroy(data->meta);
    }

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: The current style in src/read.c is to have the caller handle this. For example, see the second avifMetaDestroy() call in avifDecoderDataDestroy():

static void avifDecoderDataDestroy(avifDecoderData * data)
{
    avifMetaDestroy(data->meta);
    for (uint32_t i = 0; i < data->tracks.count; ++i) {
        avifTrack * track = &data->tracks.track[i];
        if (track->sampleTable) {
            avifSampleTableDestroy(track->sampleTable);
        }
        if (track->meta) {
            avifMetaDestroy(track->meta);
        }
    }
    avifArrayDestroy(&data->tracks);
    avifDecoderDataClearTiles(data);
    avifArrayDestroy(&data->tiles);
    avifFree(data);
}

So I suggest adding a similar null pointer check to the first avifMetaDestroy() call in avifDecoderDataDestroy().

    if (data->meta) {
        avifMetaDestroy(data->meta);
    }

Done

src/read.c Outdated
@@ -760,6 +760,10 @@ static avifMeta * avifMetaCreate()

static void avifMetaDestroy(avifMeta * meta)
{
if (meta == NULL) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message should also acknowledge the person who ran nallocfuzz and reported this bug to us (Philippe Antoine).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message should also acknowledge the person who ran nallocfuzz and reported this bug to us (Philippe Antoine).

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).

This was the format I used in other projects, that was suggested by Philippe. I can add his name though.

wantehchang
wantehchang approved these changes Mar 18, 2024
View reviewed changes
Copy link
Collaborator

@wantehchang wantehchang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@jzern jzern merged commit 70503d7 into AOMediaCodec:main Mar 19, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wantehchang wantehchang wantehchang approved these changes

@y-guyon y-guyon Awaiting requested review from y-guyon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jzern @wantehchang