[FFmpeg-cvslog] ogg: fix double free when finding length of small chained oggs.
Ronald S. Bultje
git at videolan.org
Wed Jul 27 12:49:38 CEST 2011
ffmpeg | branch: release/0.7 | Ronald S. Bultje <rsbultje at gmail.com> | Tue Jun 28 22:24:21 2011 -0700| [cb66b552700c4fe54f3387eb12207049ff63dfe3] | committer: Reinhard Tartler
ogg: fix double free when finding length of small chained oggs.
ogg_save() copies streams[], but doesn't keep track of free()'ed
struct members. Thus, if in between a call to ogg_save() and
ogg_restore(), streams[].private was free()'ed, this would result
in a double free -> crash, which happened when e.g. playing small
chained ogg fragments.
(cherry picked from commit 9ed6cbc3ee2ae3e7472fb25192a7e36fd7b15533)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb66b552700c4fe54f3387eb12207049ff63dfe3
---
libavformat/oggdec.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index f1ad630..998a33b 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -238,7 +238,8 @@ static int ogg_read_page(AVFormatContext *s, int *str)
for (n = 0; n < ogg->nstreams; n++) {
av_freep(&ogg->streams[n].buf);
- av_freep(&ogg->streams[n].private);
+ if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private)
+ av_freep(&ogg->streams[n].private);
}
ogg->curidx = -1;
ogg->nstreams = 0;
More information about the ffmpeg-cvslog
mailing list