[FFmpeg-devel] [PATCH 1/3] avformat/rtspdec: set dangling pointers to NULL

[Andreas Rheinhardt]

Andriy Gelman:
> From: Andriy Gelman <andriy.gelman at gmail.com>
> 
> Otherwise a double free will occur in case rtsp_read_close() is called
> on error.
> 
> Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
> ---
>  libavformat/rtspdec.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/rtspdec.c b/libavformat/rtspdec.c
> index ef084a8b2b..b519b6f1a2 100644
> --- a/libavformat/rtspdec.c
> +++ b/libavformat/rtspdec.c
> @@ -691,7 +691,8 @@ static int rtsp_listen(AVFormatContext *s)
>          } else if (methodcode == SETUP)
>              ret = rtsp_read_setup(s, host, uri);
>          if (ret) {
> -            ffurl_close(rt->rtsp_hd);
> +            ffurl_closep(&rt->rtsp_hd);
> +            rt->rtsp_hd_out = NULL;
>              return AVERROR_INVALIDDATA;
>          }
>      }
> 
You simply set rtsp_hd_out to NULL, so I presume you have checked that
it really always pointed to NULL or to rtsp_hd (i.e. that everything is
consistent) before that. In this case, you don't need new code for
freeing here: Remove the ffurl_close() that is already here and leave
freeing to rtsp_read_close() (and ultimately to
ff_rtsp_close_connections()). This advice is untested, so better test it.

- Andreas

PS: When I made 82bf41f3abce4a13e7c6ad1606eb708f371de87f I intentionally
left rtspdec out and put it on my (pretty long)
"I'll-do-it-tomorrow"-list, because of this rtsp_hd vs. rtsp_hd_out
stuff. Thanks for taking care of it.