mtmd: fix double-close of ffmpeg/ffprobe stdin in video helper#24313
Closed
mudler wants to merge 1 commit into
Closed
mtmd: fix double-close of ffmpeg/ffprobe stdin in video helper#24313mudler wants to merge 1 commit into
mudler wants to merge 1 commit into
Conversation
mtmd_helper_video::feed_stdin() closes the FILE returned by
subprocess_stdin(), which is sp->stdin_file. The local fclose() leaves
sp->stdin_file dangling (still non-NULL), so the subsequent
subprocess_destroy() fclose()s the same FILE a second time, corrupting
the heap and aborting the process ("corrupted double-linked list" /
"corrupted size vs. prev_size").
This reproduces on the server's base64 input_video path (every
probe()/start_ffmpeg() feeds the buffer through stdin); the CLI
--video <file> path is unaffected because it never spawns the stdin
feeder.
Clear sp->stdin_file after fclose() so subprocess_destroy() skips it.
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
ngxson
reviewed
Jun 8, 2026
Comment on lines
+646
to
+649
| // subprocess_stdin() returns sp->stdin_file directly; fclosing our local | ||
| // copy leaves the struct pointer dangling, so subprocess_destroy() would | ||
| // fclose() the same FILE again -> heap corruption. Null it so the later | ||
| // destroy skips stdin. |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Collaborator
|
thanks for reporting the issue, however I decided to refactor the subprocess handling in #24316 (which makes it conflicts with this PR) could you check if it fixes the issue? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
mtmd_helper_video::feed_stdin() closes the FILE returned by subprocess_stdin(), which is sp->stdin_file. The local fclose() leaves sp->stdin_file dangling (still non-NULL), so the subsequent subprocess_destroy() fclose()s the same FILE a second time, corrupting the heap and aborting the process ("corrupted double-linked list" / "corrupted size vs. prev_size").
This reproduces on the server's base64 input_video path (every probe()/start_ffmpeg() feeds the buffer through stdin); the CLI --video path is unaffected because it never spawns the stdin feeder.
Clear sp->stdin_file after fclose() so subprocess_destroy() skips it.
cc @ngxson
Requirements