ogg: fix double free when finding length of small chained oggs.

ogg_save() copies streams[], but doesn't keep track of free()'ed struct members. Thus, if in between a call to ogg_save() and ogg_restore(), streams[].private was free()'ed, this would result in a double free -> crash, which happened when e.g. playing small chained ogg fragments. (cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533)
author: Ronald S. Bultje <rsbultje@gmail.com> 2011-06-28 22:24:21 -0700
committer: Carl Eugen Hoyos <cehoyos@ag.or.at> 2011-07-01 02:41:30 +0200
commit: 8f7f3f0453dfe3a14b70bae28301a2ee661fc3f4 (patch)
tree: eefcfc8216b01635bc5ad90c7423e62c90d467d7 /libavformat
parent: 376dfd07abf8a5f493146d818bfb04807dc8bd5a (diff)
download: ffmpeg-8f7f3f0453dfe3a14b70bae28301a2ee661fc3f4.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 655da35dd4..dc9f7b62fd 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -240,7 +240,8 @@ static int ogg_read_page(AVFormatContext *s, int *str)
 
             for (n = 0; n < ogg->nstreams; n++) {
                 av_freep(&ogg->streams[n].buf);
-                av_freep(&ogg->streams[n].private);
+                if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private)
+                    av_freep(&ogg->streams[n].private);
             }
             ogg->curidx   = -1;
             ogg->nstreams = 0;
author	Ronald S. Bultje <rsbultje@gmail.com>	2011-06-28 22:24:21 -0700
committer	Carl Eugen Hoyos <cehoyos@ag.or.at>	2011-07-01 02:41:30 +0200
commit	8f7f3f0453dfe3a14b70bae28301a2ee661fc3f4 (patch)
tree	eefcfc8216b01635bc5ad90c7423e62c90d467d7 /libavformat
parent	376dfd07abf8a5f493146d818bfb04807dc8bd5a (diff)
download	ffmpeg-8f7f3f0453dfe3a14b70bae28301a2ee661fc3f4.tar.gz