GNOME Bugzilla – Bug 722669
h265parser: Crashes on broken streams because of freeing uninitialized pointer
Last modified: 2014-01-21 10:55:31 UTC
Created attachment 266833 [details] [review] fix crash free of wrong pointer In gst_h265_parser_parse_slice_hdr(), slice->entry_point_offset_minus1 member is not initialization. at this time, If line 2242 has false, go to line 2469, call gst_h265_slice_hdr_free then issued memory crash. 2442 READ_UE_ALLOWED (&nr, slice->num_entry_point_offsets, 0, offset_max); 2443 if (slice->num_entry_point_offsets > 0) { 2444 READ_UE_ALLOWED (&nr, slice->offset_len_minus1, 0, 31); 2445 slice->entry_point_offset_minus1 = 2446 g_new0 (guint32, slice->num_entry_point_offsets); 2447 for (i = 0; i < slice->num_entry_point_offsets; i++) 2448 READ_UINT32 (&nr, slice->entry_point_offset_minus1[i], 2449 (slice->offset_len_minus1 + 1)); 2450 } 2451 } 2452 2453 if (pps->slice_segment_header_extension_present_flag) { 2454 guint16 slice_segment_header_extension_length; 2455 READ_UE_ALLOWED (&nr, slice_segment_header_extension_length, 0, 256); 2456 for (i = 0; i < slice_segment_header_extension_length; i++) 2457 if (!nal_reader_skip (&nr, 8)) 2458 goto error; 2459 } 2460 2461 slice->header_size = nal_reader_get_pos (&nr); 2462 slice->n_emulation_prevention_bytes = nal_reader_get_epb_count (&nr); 2463 2464 return GST_H265_PARSER_OK; 2465 2466 error: 2467 GST_WARNING ("error parsing \"Slice header\""); 2468 2469 gst_h265_slice_hdr_free (slice); 2470 2471 return GST_H265_PARSER_ERROR; and I attached test stream.
Created attachment 266834 [details] test stream - Rain_LG_60P.ts
This problem may not occur in normal stream. but has potential problem.
commit 686c2f8e7950df9f7d8c527a21b640c96991f0b0 Author: duhui.lee <duhui.lee@lge.com> Date: Tue Jan 21 10:58:35 2014 +0900 h265parser: Initialize pointer correctly that is never assigned but freed in error cases Fixes crash on broken streams. https://bugzilla.gnome.org/show_bug.cgi?id=722669