[FFmpeg-devel] [PATCH 14/19] avfilter/af_amerge: Fix segfault upon allocation failure

Paul B Mahol onemda at gmail.com
Sun Aug 30 22:25:29 EEST 2020


On 8/25/20, Andreas Rheinhardt <andreas.rheinhardt at gmail.com> wrote:
> The amerge filter uses a variable number of inpads and allocates them
> in its init function; if all goes well, the number of inpads coincides
> with a number stored in the filter's private context. Yet if allocating a
> subsequent inpad fails, the uninit function nevertheless uses the number
> stored in the private context to determine the number of inpads to free
> and not the AVFilterContext's nb_inputs. This will lead to an access
> beyond the end of the allocated AVFilterContext.input_pads array and
> an invalid free.
>
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---

LGTM, but might wait for Nicolas.

>  libavfilter/af_amerge.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c
> index ca94a224af..93f6f17d22 100644
> --- a/libavfilter/af_amerge.c
> +++ b/libavfilter/af_amerge.c
> @@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge);
>  static av_cold void uninit(AVFilterContext *ctx)
>  {
>      AMergeContext *s = ctx->priv;
> -    int i;
>
> -    for (i = 0; i < s->nb_inputs; i++) {
> -        if (ctx->input_pads)
> -            av_freep(&ctx->input_pads[i].name);
> -    }
>      av_freep(&s->in);
> +    for (unsigned i = 0; i < ctx->nb_inputs; i++)
> +        av_freep(&ctx->input_pads[i].name);
>  }
>
>  static int query_formats(AVFilterContext *ctx)
> --
> 2.20.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".


More information about the ffmpeg-devel mailing list