diff options
author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-03-27 08:31:29 +0100 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-07-01 23:59:18 +0200 |
commit | ebe90fbb742bb6e23a7df5cb8b10d7f1ded5a54b (patch) | |
tree | de04b6e049ab289332bac3bbd4f51f9ccb33bc4e /libavformat/avidec.c | |
parent | 81e1872b478dc79e853a9f6175f0d57c70ccbfab (diff) | |
download | ffmpeg-ebe90fbb742bb6e23a7df5cb8b10d7f1ded5a54b.tar.gz |
avformat/avidec: Fix memleak with embedded GAB2 subtitles
The code for GAB2 subtitles predates refcounting AVPackets. So in order
to transfer the ownership of a packet's data pkt->data was simply stored
and the packet zeroed; in the end (i.e. in the read_close-function) this
data was then simply freed with av_freep(). This of course leads to a leak
of an AVBufferRef and an AVBuffer. It has been fixed by keeping and
eventually unreferencing the packet's buf instead.
Additionally, the packet is now reset via av_packet_unref().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit da44bbefaabeb2fdb58a03fe533a44aa150486fc)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Diffstat (limited to 'libavformat/avidec.c')
-rw-r--r-- | libavformat/avidec.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 3f074795a7..ea99e95386 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -61,7 +61,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -1118,8 +1118,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1910,7 +1911,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } } |