Opened 6 years ago
Closed 6 years ago
#812 closed defect (fixed)
Use-after-free in DecLib::xDecodeAPS(InputNALUnit&)
| Reported by: | pierrick.bouvier | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | VTM-8.0 |
| Component: | VTM | Version: | VTM-7.3 |
| Keywords: | Cc: | ksuehring, XiangLi, fbossen, jvet@… |
Description
In function DecLib::xDecodeAPS(InputNALUnit&), when storing an APS in parameterSetManager, pointer can be freed if APS has not changed.
In ParameterSetMap<APS>::storePS(int, APS*,...), we can observe that
// work out changed flag
calculateParameterSetChangedFlag(mapData.bChanged, mapData.pNaluData, pNaluData);
if( ! mapData.bChanged )
{
// just keep the old one
delete ps;
return;
}
This results in aps being deleted, which is fine.
Alas, just after storing it, we check its type:
void DecLib::xDecodeAPS(InputNALUnit& nalu)
{
APS* aps = new APS();
...
m_parameterSetManager.storeAPS(aps, nalu.getBitstream().getFifo());
#if JVET_P0257_SCALING_LISTS_SPEEDUP_DEC
if (aps->getAPSType() == SCALING_LIST_APS)
{
setScalingListUpdateFlag(true); // USE-AFTER-FREE
}
#endif
Fix is simply to store it after checking its type.
This bug was found by Clang Memory Sanitizer.
Merge request: https://vcgit.hhi.fraunhofer.de/jvet/VVCSoftware_VTM/merge_requests/1223
Change history (1)
comment:1 Changed 6 years ago by ksuehring
- Milestone changed from VTM-7.2 to VTM-8.0
- Resolution set to fixed
- Status changed from new to closed
- Version set to VTM-7.3
Note: See TracTickets for help on using tickets.
The MR was merged.