Headline
CVE-2020-22048: #8303 (memory leaks in ff_frame_pool_get()) – FFmpeg
A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_frame_pool_get function in framepool.c.
#8303 closed defect (fixed)
Reported by:
Owned by:
Priority:
important
Component:
undetermined
Version:
git-master
Keywords:
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Summary of the bug:
There are memory leaks in ff_frame_pool_get()
How to reproduce:
% ffmpeg_g -t 3 -y -i $PoC -filter_complex colorspace -target dvd -loglevel 0 tmp.ads
ffmpeg version N-95441-g0ae6fb276b Copyright © 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
Here’s Valgrind log
==6446== HEAP SUMMARY: ==6446== in use at exit: 100,746 bytes in 33 blocks ==6446== total heap usage: 3,265 allocs, 3,232 frees, 2,295,813 bytes allocated ==6446== ==6446== 50,357 (536 direct, 49,821 indirect) bytes in 1 blocks are definitely lost in loss record 12 of 13 ==6446== at 0x9FE2E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6446== by 0x9FE2F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6446== by 0x592E949: av_malloc (mem.c:87) ==6446== by 0x592E949: av_mallocz (mem.c:238) ==6446== by 0x5902ADD: av_frame_alloc (frame.c:191) ==6446== by 0x64FBD5: ff_frame_pool_get (framepool.c:201) ==6446== by 0xFB8A9C: ff_default_get_video_buffer (video.c:90) ==6446== by 0xD20033: scale_frame (vf_scale.c:460) ==6446== by 0xD1F24C: filter_frame (vf_scale.c:549) ==6446== by 0x5CFE9C: ff_filter_frame_framed (avfilter.c:1084) ==6446== by 0x5CFE9C: ff_filter_frame_to_filter (avfilter.c:1232) ==6446== by 0x5CFE9C: ff_filter_activate_default (avfilter.c:1281) ==6446== by 0x5CFE9C: ff_filter_activate (avfilter.c:1443) ==6446== by 0x5F42A4: push_frame (buffersrc.c:187) ==6446== by 0x5F42A4: av_buffersrc_add_frame_internal (buffersrc.c:261) ==6446== by 0x5F2E7D: av_buffersrc_add_frame_flags (buffersrc.c:170) ==6446== by 0x4CAD5F: ifilter_send_frame (ffmpeg.c:2186) ==6446== by 0x4CAD5F: send_frame_to_filters (ffmpeg.c:2260) ==6446== ==6446== 50,357 (536 direct, 49,821 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 13 ==6446== at 0x9FE2E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6446== by 0x9FE2F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6446== by 0x592E949: av_malloc (mem.c:87) ==6446== by 0x592E949: av_mallocz (mem.c:238) ==6446== by 0x5902ADD: av_frame_alloc (frame.c:191) ==6446== by 0x64FBD5: ff_frame_pool_get (framepool.c:201) ==6446== by 0xFB8A9C: ff_default_get_video_buffer (video.c:90) ==6446== by 0x7FD3D4: filter_frame (vf_colorspace.c:770) ==6446== by 0x5CFE9C: ff_filter_frame_framed (avfilter.c:1084) ==6446== by 0x5CFE9C: ff_filter_frame_to_filter (avfilter.c:1232) ==6446== by 0x5CFE9C: ff_filter_activate_default (avfilter.c:1281) ==6446== by 0x5CFE9C: ff_filter_activate (avfilter.c:1443) ==6446== by 0x5F42BE: push_frame (buffersrc.c:187) ==6446== by 0x5F42BE: av_buffersrc_add_frame_internal (buffersrc.c:261) ==6446== by 0x5F2E7D: av_buffersrc_add_frame_flags (buffersrc.c:170) ==6446== by 0x4CAD5F: ifilter_send_frame (ffmpeg.c:2186) ==6446== by 0x4CAD5F: send_frame_to_filters (ffmpeg.c:2260) ==6446== by 0x4A07BB: decode_video (ffmpeg.c:2459) ==6446== by 0x4A07BB: process_input_packet (ffmpeg.c:2613) ==6446== ==6446== LEAK SUMMARY: ==6446== definitely lost: 1,072 bytes in 2 blocks ==6446== indirectly lost: 99,642 bytes in 30 blocks ==6446== possibly lost: 0 bytes in 0 blocks ==6446== still reachable: 32 bytes in 1 blocks ==6446== suppressed: 0 bytes in 0 blocks ==6446== Reachable blocks (those to which a pointer was found) are not shown. ==6446== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==6446== ==6446== For counts of detected and suppressed errors, rerun with: -v ==6446== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Please confirm.
Thanks