WebKit Bugzilla
Attachment 361148 Details for
Bug 194265
: vp8e_mr_alloc_mem() leaks LOWER_RES_FRAME_INFO if second memory allocation fails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch v1
bug-194265-20190204182524.patch (text/plain), 4.12 KB, created by
David Kilzer (:ddkilzer)
on 2019-02-04 18:25:25 PST
(
hide
)
Description:
Patch v1
Filename:
MIME Type:
Creator:
David Kilzer (:ddkilzer)
Created:
2019-02-04 18:25:25 PST
Size:
4.12 KB
patch
obsolete
>Subversion Revision: 240927 >diff --git a/Source/ThirdParty/libwebrtc/ChangeLog b/Source/ThirdParty/libwebrtc/ChangeLog >index 3f4f1c88cfa5991a599ba623009ca144062b6034..c24473f9ddbd61b1c98515729e0f5978799bebf5 100644 >--- a/Source/ThirdParty/libwebrtc/ChangeLog >+++ b/Source/ThirdParty/libwebrtc/ChangeLog >@@ -1,3 +1,20 @@ >+2019-02-04 David Kilzer <ddkilzer@apple.com> >+ >+ vp8e_mr_alloc_mem() leaks LOWER_RES_FRAME_INFO if second memory allocation fails >+ <https://webkit.org/b/194265> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c: >+ (vp8e_mr_alloc_mem): >+ - Initialize `res` to VPX_CODEC_OK instead of 0. >+ - Return early if first calloc() fails instead of trying the >+ second calloc(). The function would crash dereferencing >+ nullptr in `shared_mem_loc->mb_info` otherwise. >+ - Call free(shared_mem_loc) if the second call to calloc() >+ fails. This fixes the leak. >+ * WebKit/0003-libwebrtc-fix-vp8e_mr_alloc_mem-leak.diff: Add. >+ > 2019-01-30 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r240665. >diff --git a/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c b/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c >index d3e200594100186d7905755c9243c0b57918fde7..b67baab24d10c07b44b863917c71e9eb19a7223c 100644 >--- a/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c >+++ b/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c >@@ -577,7 +577,7 @@ static vpx_codec_err_t set_screen_content_mode(vpx_codec_alg_priv_t *ctx, > > static vpx_codec_err_t vp8e_mr_alloc_mem(const vpx_codec_enc_cfg_t *cfg, > void **mem_loc) { >- vpx_codec_err_t res = 0; >+ vpx_codec_err_t res = VPX_CODEC_OK; > > #if CONFIG_MULTI_RES_ENCODING > LOWER_RES_FRAME_INFO *shared_mem_loc; >@@ -586,12 +586,13 @@ static vpx_codec_err_t vp8e_mr_alloc_mem(const vpx_codec_enc_cfg_t *cfg, > > shared_mem_loc = calloc(1, sizeof(LOWER_RES_FRAME_INFO)); > if (!shared_mem_loc) { >- res = VPX_CODEC_MEM_ERROR; >+ return VPX_CODEC_MEM_ERROR; > } > > shared_mem_loc->mb_info = > calloc(mb_rows * mb_cols, sizeof(LOWER_RES_MB_INFO)); > if (!(shared_mem_loc->mb_info)) { >+ free(shared_mem_loc); > res = VPX_CODEC_MEM_ERROR; > } else { > *mem_loc = (void *)shared_mem_loc; >diff --git a/Source/ThirdParty/libwebrtc/WebKit/0003-libwebrtc-fix-vp8e_mr_alloc_mem-leak.diff b/Source/ThirdParty/libwebrtc/WebKit/0003-libwebrtc-fix-vp8e_mr_alloc_mem-leak.diff >new file mode 100644 >index 0000000000000000000000000000000000000000..6c591e04d89d39f9c677afff1357940539e391f2 >--- /dev/null >+++ b/Source/ThirdParty/libwebrtc/WebKit/0003-libwebrtc-fix-vp8e_mr_alloc_mem-leak.diff >@@ -0,0 +1,28 @@ >+diff --git a/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c b/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c >+index d3e20059410..b67baab24d1 100644 >+--- a/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c >++++ b/Source/ThirdParty/libwebrtc/Source/third_party/libvpx/source/libvpx/vp8/vp8_cx_iface.c >+@@ -577,7 +577,7 @@ static vpx_codec_err_t set_screen_content_mode(vpx_codec_alg_priv_t *ctx, >+ >+ static vpx_codec_err_t vp8e_mr_alloc_mem(const vpx_codec_enc_cfg_t *cfg, >+ void **mem_loc) { >+- vpx_codec_err_t res = 0; >++ vpx_codec_err_t res = VPX_CODEC_OK; >+ >+ #if CONFIG_MULTI_RES_ENCODING >+ LOWER_RES_FRAME_INFO *shared_mem_loc; >+@@ -586,12 +586,13 @@ static vpx_codec_err_t vp8e_mr_alloc_mem(const vpx_codec_enc_cfg_t *cfg, >+ >+ shared_mem_loc = calloc(1, sizeof(LOWER_RES_FRAME_INFO)); >+ if (!shared_mem_loc) { >+- res = VPX_CODEC_MEM_ERROR; >++ return VPX_CODEC_MEM_ERROR; >+ } >+ >+ shared_mem_loc->mb_info = >+ calloc(mb_rows * mb_cols, sizeof(LOWER_RES_MB_INFO)); >+ if (!(shared_mem_loc->mb_info)) { >++ free(shared_mem_loc); >+ res = VPX_CODEC_MEM_ERROR; >+ } else { >+ *mem_loc = (void *)shared_mem_loc;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=361148">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194265
: 361148