diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-24 05:46:08 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2021-02-27 07:20:57 +0100 |
| commit | 7316177a44fcd325dff8d19a382c83a51f1dfacc (patch) | |
| tree | a6a9a085a8250749caf6a909ddc632ed1b0dd27a | |
| parent | 9ef72373131738c690cc6d1504a23a42cd220685 (diff) | |
| download | ffmpeg-7316177a44fcd325dff8d19a382c83a51f1dfacc.tar.gz | |
avfilter/af_amerge: Fix segfault upon allocation failure
The amerge filter uses a variable number of inpads and allocates them
in its init function; if all goes well, the number of inpads coincides
with a number stored in the filter's private context. Yet if allocating a
subsequent inpad fails, the uninit function nevertheless uses the number
stored in the private context to determine the number of inpads to free
and not the AVFilterContext's nb_inputs. This will lead to an access
beyond the end of the allocated AVFilterContext.input_pads array and
an invalid free.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 8f2c1f2cbe77685435362f1940b637a6c3ff1934)
| -rw-r--r-- | libavfilter/af_amerge.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c index 567f25982d..eb8b467157 100644 --- a/libavfilter/af_amerge.c +++ b/libavfilter/af_amerge.c @@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge); static av_cold void uninit(AVFilterContext *ctx) { AMergeContext *s = ctx->priv; - int i; - for (i = 0; i < s->nb_inputs; i++) { - if (ctx->input_pads) - av_freep(&ctx->input_pads[i].name); - } av_freep(&s->in); + for (unsigned i = 0; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } static int query_formats(AVFilterContext *ctx) |