From f9f3fd9387921957ee93b8081e355596b49e6e82 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 27 Mar 2020 08:31:29 +0100 Subject: [PATCH] avformat/avidec: Fix memleak with embedded GAB2 subtitles The code for GAB2 subtitles predates refcounting AVPackets. So in order to transfer the ownership of a packet's data pkt->data was simply stored and the packet zeroed; in the end (i.e. in the read_close-function) this data was then simply freed with av_freep(). This of course leads to a leak of an AVBufferRef and an AVBuffer. It has been fixed by keeping and eventually unreferencing the packet's buf instead. Additionally, the packet is now reset via av_packet_unref(). Signed-off-by: Andreas Rheinhardt (cherry picked from commit da44bbefaabeb2fdb58a03fe533a44aa150486fc) Signed-off-by: Andreas Rheinhardt --- libavformat/avidec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 72a6749704..11f726b897 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -61,7 +61,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -1118,8 +1118,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1906,7 +1907,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } }