highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ogg: fix double free when finding length of small chained oggs.

Browse Source 
ogg_save() copies streams[], but doesn't keep track of free()'ed
struct members. Thus, if in between a call to ogg_save() and
ogg_restore(), streams[].private was free()'ed, this would result
in a double free -> crash, which happened when e.g. playing small
chained ogg fragments.
(cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533)
This commit is contained in:
Ronald S. Bultje 2011-06-28 22:24:21 -07:00 committed by Carl Eugen Hoyos
parent 376dfd07ab
commit 8f7f3f0453
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/oggdec.c
View File

@ -240,7 +240,8 @@ static int ogg_read_page(AVFormatContext *s, int *str)
for (n = 0; n < ogg->nstreams; n++) {
av_freep(&ogg->streams[n].buf);
av_freep(&ogg->streams[n].private);
if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private)
av_freep(&ogg->streams[n].private);
}
ogg->curidx = -1;
ogg->nstreams = 0;