diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-24 05:46:08 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-26 00:20:50 +0200 |
| commit | 8f2c1f2cbe77685435362f1940b637a6c3ff1934 (patch) | |
| tree | 49044588b13bfbc71830f6406a60207e0d22bf8e | |
| parent | ae5369128aae77fae82b808b0805ef8e2596d95d (diff) | |
| download | ffmpeg-8f2c1f2cbe77685435362f1940b637a6c3ff1934.tar.gz | |
avfilter/af_amerge: Fix segfault upon allocation failure
The amerge filter uses a variable number of inpads and allocates them
in its init function; if all goes well, the number of inpads coincides
with a number stored in the filter's private context. Yet if allocating a
subsequent inpad fails, the uninit function nevertheless uses the number
stored in the private context to determine the number of inpads to free
and not the AVFilterContext's nb_inputs. This will lead to an access
beyond the end of the allocated AVFilterContext.input_pads array and
an invalid free.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
| -rw-r--r-- | libavfilter/af_amerge.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c index ca94a224af..93f6f17d22 100644 --- a/libavfilter/af_amerge.c +++ b/libavfilter/af_amerge.c @@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge); static av_cold void uninit(AVFilterContext *ctx) { AMergeContext *s = ctx->priv; - int i; - for (i = 0; i < s->nb_inputs; i++) { - if (ctx->input_pads) - av_freep(&ctx->input_pads[i].name); - } av_freep(&s->in); + for (unsigned i = 0; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } static int query_formats(AVFilterContext *ctx) |