diff options
author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2019-12-16 01:04:09 +0100 |
---|---|---|
committer | Steven Liu <lq@chinaffmpeg.org> | 2019-12-23 14:05:43 +0800 |
commit | 149ee954a32334902a20c6a1b58ac5fe91114ff6 (patch) | |
tree | ca4a714bd5752caa884a132fda63ff559251b521 /libavutil/spherical.c | |
parent | bd131b64bc308ab036d0bbe9da0a49f482ef94f9 (diff) | |
download | ffmpeg-149ee954a32334902a20c6a1b58ac5fe91114ff6.tar.gz |
avformat/hlsenc: Fix potential segfault upon allocation failure
The hls muxer allocates an array of VariantStreams, a structure that
contains pointers to objects that need to be freed on their own. This
means that the number of allocated VariantStreams needs to be correct
when they are freed; yet the number of VariantStreams is set in
update_variant_stream_info() resp. parse_variant_stream_mapstring()
before the allocation has been checked for success, so that upon error
an attempt would be made to free the objects whose pointers are
positioned at position NULL (the location of VariantStreams) +
offsetof(VariantStream, the corresponding pointer).
Furthermore d1fe1344 added another possibility for the first function
to leave an inconsistent state behind: If an allocation of one of the
objects referenced by the VariantStream fails, the VariantStream will be
freed, but the number of allocated VariantStreams isn't reset, leading
to the same problem as above. (This was done in the mistaken belief that
the VariantStreams array would leak otherwise.)
Essentially the same also happens for the number of cc-streams. It has
been fixed, too.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Steven Liu <lq@onvideo.cn>
Diffstat (limited to 'libavutil/spherical.c')
0 files changed, 0 insertions, 0 deletions