Bug 79587

Summary: use after free in vaTerminate
Product: libva Reporter: Sebastian Ramacher <sramacher>
Component: coreAssignee: haihao <haihao.xiang>
Status: RESOLVED FIXED QA Contact: Sean V Kelley <seanvk>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Sebastian Ramacher 2014-06-03 11:32:28 UTC 
While running vainfo under valgrind, the following invalid reads and writes are reported:

==31716== Invalid read of size 8
==31716==    at 0x4E38B49: va_TraceEnd (va_trace.c:236)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38BAD: va_TraceEnd (va_trace.c:257)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid read of size 8
==31716==    at 0x4E38307: va_FoolEnd (va_fool.c:143)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38374: va_FoolEnd (va_fool.c:159)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)

This looks like a use after free error in vaTerminate to me. In va/va.c line 519 the resources get released, but they are accessed again in the lines below.
Comment 1 Sebastian Ramacher 2014-06-03 12:23:00 UTC 
I just found http://cgit.freedesktop.org/libva/commit/va/va.c?h=staging&id=d4988142a3f2256e38c5c5cdcdfc1b4f5f3c1ea9. Sorry for the noice.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.