Headline
CVE-2020-22054: #8315 (memory leaks in av_dict_set()) – FFmpeg
A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_dict_set function in dict.c.
#8315 closed defect (fixed)
Reported by:
Owned by:
Priority:
minor
Component:
ffmpeg
Version:
git-master
Keywords:
leak
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Summary of the bug:
There’re memory leaks detected in av_dict_set()
How to reproduce:
% ffmpeg_g -y -i $PoC1 -i $PoC2 -filter_complex acompressor -target dvd -loglevel 0 -c pcm_s24le tmp.dnxhd
ffmpeg version N-95464-g7056ddc0e0 Copyright © 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
Here’s Valgrind log
==36149== HEAP SUMMARY: ==36149== in use at exit: 1,046 bytes in 61 blocks ==36149== total heap usage: 643 allocs, 582 frees, 2,630,129 bytes allocated ==36149== ==36149== 54 (16 direct, 38 indirect) bytes in 1 blocks are definitely lost in loss record 40 of 44 ==36149== at 0x9FE3E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==36149== by 0x9FE3F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==36149== by 0x592F079: av_malloc (mem.c:87) ==36149== by 0x592F079: av_mallocz (mem.c:238) ==36149== by 0x58EA3CC: av_dict_set (dict.c:89) ==36149== by 0x45D36E: new_output_stream (ffmpeg_opt.c:1554) ==36149== by 0x455A25: new_audio_stream (ffmpeg_opt.c:1860) ==36149== by 0x4508EC: init_output_filter (ffmpeg_opt.c:2062) ==36149== by 0x43481F: open_output_file (ffmpeg_opt.c:2187) ==36149== by 0x42DE5E: open_files (ffmpeg_opt.c:3283) ==36149== by 0x42DC06: ffmpeg_parse_options (ffmpeg_opt.c:3337) ==36149== by 0x487BB3: main (ffmpeg.c:4862) ==36149== ==36149== LEAK SUMMARY: ==36149== definitely lost: 16 bytes in 1 blocks ==36149== indirectly lost: 38 bytes in 3 blocks ==36149== possibly lost: 0 bytes in 0 blocks ==36149== still reachable: 992 bytes in 57 blocks ==36149== suppressed: 0 bytes in 0 blocks ==36149== Reachable blocks (those to which a pointer was found) are not shown. ==36149== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==36149== ==36149== For counts of detected and suppressed errors, rerun with: -v ==36149== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Please confirm.
Thanks