diff options
author | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2021-10-06 17:21:04 +0200 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2021-10-10 14:27:13 +0200 |
commit | 18ddb25c7a58404641de2f6aa68220bd509e376c (patch) | |
tree | 3e1715b1873c98cb724f23d570759f7d5952ba05 | |
parent | 304cc0379870ebf155502069939582f1065ef3b5 (diff) | |
download | ffmpeg-18ddb25c7a58404641de2f6aa68220bd509e376c.tar.gz |
avfilter/asrc_flite: Fix use-after-frees
When an flite filter instance is uninitialized and the refcount
of the corresponding voice_entry reaches zero, the voice is
unregistered, yet the voice_entry's pointer to the voice is not reset.
(Whereas some other pointers are needlessly reset.)
Because of this a new flite filter instance will believe said voice
to already be registered, leading to use-after-frees.
Fix this by resetting the right pointer instead of the wrong ones.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
-rw-r--r-- | libavfilter/asrc_flite.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libavfilter/asrc_flite.c b/libavfilter/asrc_flite.c index 0789dd6ff3..bd2ae774de 100644 --- a/libavfilter/asrc_flite.c +++ b/libavfilter/asrc_flite.c @@ -197,10 +197,10 @@ static av_cold void uninit(AVFilterContext *ctx) FliteContext *flite = ctx->priv; if (flite->voice_entry) { - if (!--flite->voice_entry->usage_count) + if (!--flite->voice_entry->usage_count) { flite->voice_entry->unregister_fn(flite->voice); - flite->voice = NULL; - flite->voice_entry = NULL; + flite->voice_entry->voice = NULL; + } } delete_wave(flite->wave); flite->wave = NULL; |