From 92b578e1d62adf933cfacd36c02aabc448ed214d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 14 Sep 2020 06:37:24 +0200 Subject: [PATCH] avcodec/av1dec: Fix segfault upon allocation error Up until now, the AV1 decoder always checks before calling its wrapper around ff_thread_release_buffer() whether the ThreadFrame was used at all, i.e. it checked whether the first data buffer of the AVFrame contained therein is NULL or not. Yet this presumes that the AVFrame has been successfully allocated, even though this can of course fail; and if it did, one would encounter a segfault. Fix this by removing the checks altogether: ff_thread_release_buffer() can handle both unallocated as well as empty frames (since commit f6774f905fb3cfdc319523ac640be30b14c1bc55). Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt --- libavcodec/av1dec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index bd8acdaafe..871db76b4d 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -388,12 +388,10 @@ static av_cold int av1_decode_free(AVCodecContext *avctx) AV1DecContext *s = avctx->priv_data; for (int i = 0; i < FF_ARRAY_ELEMS(s->ref); i++) { - if (s->ref[i].tf.f->buf[0]) - av1_frame_unref(avctx, &s->ref[i]); + av1_frame_unref(avctx, &s->ref[i]); av_frame_free(&s->ref[i].tf.f); } - if (s->cur_frame.tf.f->buf[0]) - av1_frame_unref(avctx, &s->cur_frame); + av1_frame_unref(avctx, &s->cur_frame); av_frame_free(&s->cur_frame.tf.f); av_buffer_unref(&s->seq_ref);