[FFmpeg-cvslog] avfilter/af_amerge: Fix segfault upon allocation failure

[Andreas Rheinhardt]

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Mon Aug 24 05:46:08 2020 +0200| [8f2c1f2cbe77685435362f1940b637a6c3ff1934] | committer: Andreas Rheinhardt

avfilter/af_amerge: Fix segfault upon allocation failure

The amerge filter uses a variable number of inpads and allocates them
in its init function; if all goes well, the number of inpads coincides
with a number stored in the filter's private context. Yet if allocating a
subsequent inpad fails, the uninit function nevertheless uses the number
stored in the private context to determine the number of inpads to free
and not the AVFilterContext's nb_inputs. This will lead to an access
beyond the end of the allocated AVFilterContext.input_pads array and
an invalid free.

Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8f2c1f2cbe77685435362f1940b637a6c3ff1934
---

 libavfilter/af_amerge.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c
index ca94a224af..93f6f17d22 100644
--- a/libavfilter/af_amerge.c
+++ b/libavfilter/af_amerge.c
@@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge);
 static av_cold void uninit(AVFilterContext *ctx)
 {
     AMergeContext *s = ctx->priv;
-    int i;
 
-    for (i = 0; i < s->nb_inputs; i++) {
-        if (ctx->input_pads)
-            av_freep(&ctx->input_pads[i].name);
-    }
     av_freep(&s->in);
+    for (unsigned i = 0; i < ctx->nb_inputs; i++)
+        av_freep(&ctx->input_pads[i].name);
 }
 
 static int query_formats(AVFilterContext *ctx)