Fix UB in void* pointer arithmetic and memory leak in VIF init#1476
Open
StormBytePP wants to merge 1 commit intoNetflix:masterfrom
Open
Fix UB in void* pointer arithmetic and memory leak in VIF init#1476StormBytePP wants to merge 1 commit intoNetflix:masterfrom
StormBytePP wants to merge 1 commit intoNetflix:masterfrom
Conversation
StormBytePP
added a commit
to StormBytePP/vmaf
that referenced
this pull request
Mar 29, 2026
StormBytePP
added a commit
to StormBytePP/vmaf
that referenced
this pull request
Mar 29, 2026
10 tasks
Collaborator
|
Maybe just change the original type instead of casting N times? |
Contributor
Author
I wanted to maintain the original format so the changes introduced are minimal. Edit: There are some fields which still require explicit casts if original type is changed (at least in mingw) like: So I reverted because I think it is more readable to have all casted uniformly instead of sometimes and sometimes not. What do you think? |
StormBytePP
force-pushed
the
fix_UB_pointer_arith
branch
from
e1dba8e to
d3ef638
Compare
Signed-off-by: David C. Manuelda <StormByte@gmail.com>
StormBytePP
force-pushed
the
fix_UB_pointer_arith
branch
from
d3ef638 to
8384c37
Compare
lusoris
pushed a commit
to lusoris/vmaf
that referenced
this pull request
Apr 18, 2026
…tflix#1476) Mirror upstream PR Netflix#1476 wholesale — two bugs in the integer VIF init function: 1. Pointer arithmetic on void * is a GCC extension and UB under strict ISO C. All `data += N` lines now go through `(char *)data + N` so the arithmetic is well-defined byte-stride. 2. The fail: cleanup label freed the local `data` pointer, which has been advanced through the arena by the carve-out loop above. The original allocation pointer is `s->public.buf.data`; freeing the advanced cursor either leaks or invokes UB on aligned_free's header-walk. Bundled per ADR-0108 (six deep-dive deliverables in same PR): - rebase-notes entry 0015 documents both invariants for next sync. - CHANGELOG row added under `### Fixed`. - Reproducer: meson test -C libvmaf/build (all 27 pass). - No ADR — pure upstream port, no fork-local design choice. Re-test: ninja -C libvmaf/build && meson test -C libvmaf/build Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3 tasks
lusoris
pushed a commit
to lusoris/vmaf
that referenced
this pull request
Apr 19, 2026
Port the leak-fix half of upstream Netflix PR Netflix#1476. `init()` in `libvmaf/src/feature/integer_vif.c` carves one `aligned_malloc` into the VifBuffer sub-pointers by walking a `uint8_t *data` cursor forward through the allocation. When `vmaf_feature_name_dict_from_provided_features` returned NULL, the `fail:` handler called `aligned_free(data)` on the advanced cursor rather than the `aligned_malloc` return, leaking the whole block and passing a garbage pointer to `free`. Fail path now frees `s->public.buf.data`, the saved base pointer assigned at init-time. The companion void*→uint8_t* UB portability half of upstream PR Netflix#1476 is already on master via commit `b0a4ac3a` (rebase-notes 0022 §e), so this PR was rewritten to carry only the leak-fix delta. 2-line change. - rebase-notes.md: new entry 0023 with `rg` static-check reproducer - CHANGELOG.md: Fixed entry cross-linking to Netflix PR Netflix#1476 Validation: - meson test -C build → 29/29 OK - No SIMD / GPU impact (cold-path fail handler, same `goto fail` site) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
lusoris
pushed a commit
to lusoris/vmaf
that referenced
this pull request
Apr 19, 2026
Port the leak-fix half of upstream Netflix PR Netflix#1476. `init()` in `libvmaf/src/feature/integer_vif.c` carves one `aligned_malloc` into the VifBuffer sub-pointers by walking a `uint8_t *data` cursor forward through the allocation. When `vmaf_feature_name_dict_from_provided_features` returned NULL, the `fail:` handler called `aligned_free(data)` on the advanced cursor rather than the `aligned_malloc` return, leaking the whole block and passing a garbage pointer to `free`. Fail path now frees `s->public.buf.data`, the saved base pointer assigned at init-time. The companion void*→uint8_t* UB portability half of upstream PR Netflix#1476 is already on master via commit `b0a4ac3a` (rebase-notes 0022 §e), so this PR was rewritten to carry only the leak-fix delta. 2-line change. - rebase-notes.md: new entry 0023 with `rg` static-check reproducer - CHANGELOG.md: Fixed entry cross-linking to Netflix PR Netflix#1476 Validation: - meson test -C build → 29/29 OK - No SIMD / GPU impact (cold-path fail handler, same `goto fail` site) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
lusoris
pushed a commit
to lusoris/vmaf
that referenced
this pull request
Apr 19, 2026
Port the leak-fix half of upstream Netflix PR Netflix#1476. `init()` in `libvmaf/src/feature/integer_vif.c` carves one `aligned_malloc` into the VifBuffer sub-pointers by walking a `uint8_t *data` cursor forward through the allocation. When `vmaf_feature_name_dict_from_provided_features` returned NULL, the `fail:` handler called `aligned_free(data)` on the advanced cursor rather than the `aligned_malloc` return, leaking the whole block and passing a garbage pointer to `free`. Fail path now frees `s->public.buf.data`, the saved base pointer assigned at init-time. The companion void*→uint8_t* UB portability half of upstream PR Netflix#1476 is already on master via commit `b0a4ac3a` (rebase-notes 0022 §e), so this PR was rewritten to carry only the leak-fix delta. 2-line change. - rebase-notes.md: new entry 0023 with `rg` static-check reproducer - CHANGELOG.md: Fixed entry cross-linking to Netflix PR Netflix#1476 Validation: - meson test -C build → 29/29 OK - No SIMD / GPU impact (cold-path fail handler, same `goto fail` site) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
lusoris
added a commit
to lusoris/vmaf
that referenced
this pull request
Apr 19, 2026
Port the leak-fix half of upstream Netflix PR Netflix#1476. `init()` in `libvmaf/src/feature/integer_vif.c` carves one `aligned_malloc` into the VifBuffer sub-pointers by walking a `uint8_t *data` cursor forward through the allocation. When `vmaf_feature_name_dict_from_provided_features` returned NULL, the `fail:` handler called `aligned_free(data)` on the advanced cursor rather than the `aligned_malloc` return, leaking the whole block and passing a garbage pointer to `free`. Fail path now frees `s->public.buf.data`, the saved base pointer assigned at init-time. The companion void*→uint8_t* UB portability half of upstream PR Netflix#1476 is already on master via commit `b0a4ac3a` (rebase-notes 0022 §e), so this PR was rewritten to carry only the leak-fix delta. 2-line change. - rebase-notes.md: new entry 0023 with `rg` static-check reproducer - CHANGELOG.md: Fixed entry cross-linking to Netflix PR Netflix#1476 Validation: - meson test -C build → 29/29 OK - No SIMD / GPU impact (cold-path fail handler, same `goto fail` site) Co-authored-by: Lusoris <lusoris@pm.me> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix undefined behavior in
void*pointer arithmetic and a potential memory leak in the failure path ofvif_init().Changes
data += Noperations (which are UB onvoid*per C standard) with the portable and well-defined idiomdata = (char *)data + N.fail:label, we now free the original allocation pointer (s->public.buf.data) instead of the advanceddatapointer, preventing a memory leak whenvmaf_feature_name_dict_from_provided_features()fails.Why
void*aschar*for arithmetic), which is not guaranteed by the C standard and can break under strict conformance or aggressive optimizers.The memory layout and runtime behavior remain identical — only the correctness and portability are improved.
No functional change, only standard corrections.