diff options
author | Ronald S. Bultje <rsbultje@gmail.com> | 2011-06-28 22:24:21 -0700 |
---|---|---|
committer | Carl Eugen Hoyos <cehoyos@ag.or.at> | 2011-07-01 02:40:47 +0200 |
commit | b62c0c0bce5c3a203a6e01a4f07d991718c5fac5 (patch) | |
tree | ba60b9f65fc54f996d5afea492bd0a1db2393735 | |
parent | 00498a7e59727cfe51703d84ac55e055b47c8872 (diff) | |
download | ffmpeg-b62c0c0bce5c3a203a6e01a4f07d991718c5fac5.tar.gz |
ogg: fix double free when finding length of small chained oggs.
ogg_save() copies streams[], but doesn't keep track of free()'ed
struct members. Thus, if in between a call to ogg_save() and
ogg_restore(), streams[].private was free()'ed, this would result
in a double free -> crash, which happened when e.g. playing small
chained ogg fragments.
(cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533)
-rw-r--r-- | libavformat/oggdec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 655da35dd4..dc9f7b62fd 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -240,7 +240,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) for (n = 0; n < ogg->nstreams; n++) { av_freep(&ogg->streams[n].buf); - av_freep(&ogg->streams[n].private); + if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private) + av_freep(&ogg->streams[n].private); } ogg->curidx = -1; ogg->nstreams = 0; |