aboutsummaryrefslogtreecommitdiffstats
path: root/libavdevice/lavfi.c
diff options
context:
space:
mode:
authorAndreas Rheinhardt <andreas.rheinhardt@outlook.com>2023-09-29 19:25:39 +0200
committerAndreas Rheinhardt <andreas.rheinhardt@outlook.com>2023-09-30 12:27:44 +0200
commit2cb2465cc739aa34f33b70426b0f6c8183cdfa79 (patch)
tree18cc3de2bdd7284e1f3f599808e163ab0e7adc58 /libavdevice/lavfi.c
parent9a3bbf89bd9b32b9849d34920f7afcbd861d4e6b (diff)
downloadffmpeg-2cb2465cc739aa34f33b70426b0f6c8183cdfa79.tar.gz
avdevice/lavfi: Fix double-free on error
After the AVFrame has been wrapped into a buffer, it is owned by the buffer and must not be freed manually any more. Yet this happens on subsequent errors. This bug was introduced in 6ca43a9675d651d7ea47c7ba2fafb1bf831c4d0b. Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Diffstat (limited to 'libavdevice/lavfi.c')
-rw-r--r--libavdevice/lavfi.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c
index ec7ebdbc90..2bfd0b81c7 100644
--- a/libavdevice/lavfi.c
+++ b/libavdevice/lavfi.c
@@ -365,7 +365,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
LavfiContext *lavfi = avctx->priv_data;
double min_pts = DBL_MAX;
int stream_idx, min_pts_sink_idx = 0;
- AVFrame *frame;
+ AVFrame *frame, *frame_to_free;
AVDictionary *frame_metadata;
int ret, i;
AVStream *st;
@@ -378,6 +378,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
frame = av_frame_alloc();
if (!frame)
return AVERROR(ENOMEM);
+ frame_to_free = frame;
/* iterate through all the graph sinks. Select the sink with the
* minimum PTS */
@@ -423,6 +424,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
ret = AVERROR(ENOMEM);
goto fail;
}
+ frame_to_free = NULL;
pkt->data = pkt->buf->data;
pkt->size = pkt->buf->size;
@@ -463,12 +465,11 @@ FF_DISABLE_DEPRECATION_WARNINGS
FF_ENABLE_DEPRECATION_WARNINGS
#endif
- if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
- av_frame_free(&frame);
+ av_frame_free(&frame_to_free);
return pkt->size;
fail:
- av_frame_free(&frame);
+ av_frame_free(&frame_to_free);
return ret;
}