avcodec/hw_base_encode: fix use after free on close

The way the linked list of images was freed caused a use after free, by accessing pic->next after pic was already freed. Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c Fix CID1633236
author: Marvin Scholz <epirat07@gmail.com> 2024-10-17 20:23:40 +0200
committer: Lynne <dev@lynne.ee> 2024-10-18 11:18:41 +0200
commit: c98810ab47fa1cf339b16045e27fbe12b3a19951 (patch)
tree: f11d2105ec0bd676ed43e0f9bad1f8e9444f15cb /libavcodec
parent: dfaade76db1c7370f47685f2cd34161ddcf57b47 (diff)
download: ffmpeg-c98810ab47fa1cf339b16045e27fbe12b3a19951.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c
index 912c707a68..4d8bf4fe71 100644
--- a/libavcodec/hw_base_encode.c
+++ b/libavcodec/hw_base_encode.c
@@ -804,10 +804,10 @@ int ff_hw_base_encode_init(AVCodecContext *avctx, FFHWBaseEncodeContext *ctx)
 
 int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx)
 {
-    FFHWBaseEncodePicture *pic;
-
-    for (pic = ctx->pic_start; pic; pic = pic->next)
+    for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic; pic = next_pic) {
+        next_pic = pic->next;
         base_encode_pic_free(pic);
+    }
 
     av_fifo_freep2(&ctx->encode_fifo);
author	Marvin Scholz <epirat07@gmail.com>	2024-10-17 20:23:40 +0200
committer	Lynne <dev@lynne.ee>	2024-10-18 11:18:41 +0200
commit	c98810ab47fa1cf339b16045e27fbe12b3a19951 (patch)
tree	f11d2105ec0bd676ed43e0f9bad1f8e9444f15cb /libavcodec
parent	dfaade76db1c7370f47685f2cd34161ddcf57b47 (diff)
download	ffmpeg-c98810ab47fa1cf339b16045e27fbe12b3a19951.tar.gz