aboutsummaryrefslogtreecommitdiffstats
path: root/ffbuild
diff options
context:
space:
mode:
authorAndreas Rheinhardt <andreas.rheinhardt@gmail.com>2021-02-15 03:26:04 +0100
committerJames Almer <jamrial@gmail.com>2021-10-19 19:05:16 -0300
commit010281ed230454042abf8b88696678c669a0f279 (patch)
tree6125e2eb4854f91fff3d54836fbe27873fa6e478 /ffbuild
parentf7c9b1ed56b98eede5756d6865a10305982b4570 (diff)
downloadffmpeg-010281ed230454042abf8b88696678c669a0f279.tar.gz
avformat/mpegenc: Ensure packet queue stays valid
The MPEG-PS muxer uses a custom queue of custom packets. To keep track of it, it has a pointer (named predecode_packet) to the head of the queue and a pointer to where the next packet is to be added (it points to the next-pointer of the last element of the queue); furthermore, there is also a pointer that points into the queue (called premux_packet). The exact behaviour was as follows: If premux_packet was NULL when a packet is received, it is taken to mean that the old queue is empty and a new queue is started. premux_packet will point to the head of said queue and the next_packet-pointer points to its next pointer. If predecode_packet is NULL, it will also made to point to the newly allocated element. But if premux_packet is NULL and predecode_packet is not, then there will be two queues with head elements premux_packet and predecode_packet. Yet only elements reachable from predecode_packet are ever freed, so the premux_packet queue leaks. Worse yet, when the predecode_packet queue will be eventually exhausted, predecode_packet will be made to point into the other queue and when predecode_packet will be freed, the next pointer of the preceding element of the queue will still point to the element just freed. This element might very well be still reachable from premux_packet which leads to use-after-frees lateron. This happened in the tickets mentioned below. Fix this by never creating two queues in the first place by checking for predecode_packet to know whether the queue is empty. If premux_packet is NULL, then it is set to the newly allocated element of the queue. Fixes tickets #6887, #8188 and #8266. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit cfce16449cb815132f829d5a07beb138dfb2cba6)
Diffstat (limited to 'ffbuild')
0 files changed, 0 insertions, 0 deletions