Bug#750429: libva: use after free

Sebastian Ramacher sramacher at debian.org
Tue Jun 3 11:12:42 UTC 2014 

Source: libva
Version: 1.3.1-1
Severity: important
Tags: upstream

There is a use-after-free error in vaTerminate. valgrind reports the following
errors when running vainfo:

==31716== Invalid read of size 8
==31716==    at 0x4E38B49: va_TraceEnd (va_trace.c:236)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38BAD: va_TraceEnd (va_trace.c:257)
==31716==    by 0x4E36738: vaTerminate (va.c:523)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45a8 is 56 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid read of size 8
==31716==    at 0x4E38307: va_FoolEnd (va_fool.c:143)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)
==31716== 
==31716== Invalid write of size 8
==31716==    at 0x4E38374: va_FoolEnd (va_fool.c:159)
==31716==    by 0x4E36740: vaTerminate (va.c:525)
==31716==    by 0x401760: main (vainfo.c:149)
==31716==  Address 0x76d45b0 is 64 bytes inside a block of size 72 free'd
==31716==    at 0x4C2870C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31716==    by 0x4E36780: vaTerminate (va.c:519)
==31716==    by 0x401760: main (vainfo.c:149)

On Ubuntu this causes SIGSEVs as reported in
https://bugs.launchpad.net/ubuntu/+source/libva/+bug/1325873.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20140603/e8b1c861/attachment-0001.sig>

More information about the pkg-multimedia-maintainers mailing list