Bug 79587 - use after free in vaTerminate
Summary: use after free in vaTerminate
Status: RESOLVED FIXED
Alias: None
Product: libva
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: haihao
QA Contact: Sean V Kelley
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-03 11:32 UTC by Sebastian Ramacher
Modified: 2014-07-21 05:15 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Sebastian Ramacher 2014-06-03 11:32:28 UTC 
While running vainfo under valgrind, the following invalid reads and writes are reported:

==31716== Invalid read of size 8
==31716==    at 0x4E38B49: va_TraceEnd (va_trace.c:236)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38BAD: va_TraceEnd (va_trace.c:257)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid read of size 8
==31716==    at 0x4E38307: va_FoolEnd (va_fool.c:143)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38374: va_FoolEnd (va_fool.c:159)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)

This looks like a use after free error in vaTerminate to me. In va/va.c line 519 the resources get released, but they are accessed again in the lines below.
Comment 1 Sebastian Ramacher 2014-06-03 12:23:00 UTC 
I just found http://cgit.freedesktop.org/libva/commit/va/va.c?h=staging&id=d4988142a3f2256e38c5c5cdcdfc1b4f5f3c1ea9. Sorry for the noice.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.