diff options
author | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2023-09-29 19:25:39 +0200 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2023-09-30 12:27:44 +0200 |
commit | 2cb2465cc739aa34f33b70426b0f6c8183cdfa79 (patch) | |
tree | 18cc3de2bdd7284e1f3f599808e163ab0e7adc58 /libavdevice/lavfi.c | |
parent | 9a3bbf89bd9b32b9849d34920f7afcbd861d4e6b (diff) | |
download | ffmpeg-2cb2465cc739aa34f33b70426b0f6c8183cdfa79.tar.gz |
avdevice/lavfi: Fix double-free on error
After the AVFrame has been wrapped into a buffer,
it is owned by the buffer and must not be freed manually
any more. Yet this happens on subsequent errors.
This bug was introduced in 6ca43a9675d651d7ea47c7ba2fafb1bf831c4d0b.
Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Diffstat (limited to 'libavdevice/lavfi.c')
-rw-r--r-- | libavdevice/lavfi.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index ec7ebdbc90..2bfd0b81c7 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -365,7 +365,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) LavfiContext *lavfi = avctx->priv_data; double min_pts = DBL_MAX; int stream_idx, min_pts_sink_idx = 0; - AVFrame *frame; + AVFrame *frame, *frame_to_free; AVDictionary *frame_metadata; int ret, i; AVStream *st; @@ -378,6 +378,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) frame = av_frame_alloc(); if (!frame) return AVERROR(ENOMEM); + frame_to_free = frame; /* iterate through all the graph sinks. Select the sink with the * minimum PTS */ @@ -423,6 +424,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) ret = AVERROR(ENOMEM); goto fail; } + frame_to_free = NULL; pkt->data = pkt->buf->data; pkt->size = pkt->buf->size; @@ -463,12 +465,11 @@ FF_DISABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS #endif - if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) - av_frame_free(&frame); + av_frame_free(&frame_to_free); return pkt->size; fail: - av_frame_free(&frame); + av_frame_free(&frame_to_free); return ret; } |