mirror of https://git.ffmpeg.org/ffmpeg.git
avfilter/af_channelmap: Fix double-free of AVFilterChannelLayouts on error
The query_formats function of the channelmap filter tries to allocate a list of channel layouts which on success are attached to more permanent objects (an AVFilterLink) for storage afterwards. If attaching succeeds, the link becomes one of the common owners (in this case, the only owner) of the list. Yet if the list has been successfully attached to the link and an error happens lateron, the list was manually freed, which is wrong, because it is owned by its link so that the link's pointer to the list will become dangling and there will be a double-free/use-after-free when the link is later cleaned up automatically. This commit fixes this by removing the custom freeing code; this will temporarily add a leaking codepath (if attaching the list fails, the list will leak), but this will be fixed soon by making sure that an AVFilterChannelLayouts without owner will be automatically freed when attaching it to an AVFilterLink fails. Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This commit is contained in:
Andreas Rheinhardt
parent
fd1a2a54a4
commit
44bcd6f749
|
|
@ -280,28 +280,18 @@ static av_cold int channelmap_init(AVFilterContext *ctx)
|
||||||
static int channelmap_query_formats(AVFilterContext *ctx)
|
static int channelmap_query_formats(AVFilterContext *ctx)
|
||||||
{
|
{
|
||||||
ChannelMapContext *s = ctx->priv;
|
ChannelMapContext *s = ctx->priv;
|
||||||
AVFilterChannelLayouts *layouts;
|
|
||||||
AVFilterChannelLayouts *channel_layouts = NULL;
|
AVFilterChannelLayouts *channel_layouts = NULL;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
layouts = ff_all_channel_counts();
|
if ((ret = ff_set_common_formats (ctx, ff_planar_sample_fmts())) < 0 ||
|
||||||
if (!layouts) {
|
|
||||||
ret = AVERROR(ENOMEM);
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
if ((ret = ff_add_channel_layout (&channel_layouts, s->output_layout )) < 0 ||
|
|
||||||
(ret = ff_set_common_formats (ctx , ff_planar_sample_fmts() )) < 0 ||
|
|
||||||
(ret = ff_set_common_samplerates (ctx , ff_all_samplerates() )) < 0 ||
|
(ret = ff_set_common_samplerates (ctx , ff_all_samplerates() )) < 0 ||
|
||||||
(ret = ff_channel_layouts_ref (layouts , &ctx->inputs[0]->out_channel_layouts)) < 0 ||
|
(ret = ff_add_channel_layout(&channel_layouts, s->output_layout)) < 0 ||
|
||||||
(ret = ff_channel_layouts_ref (channel_layouts , &ctx->outputs[0]->in_channel_layouts)) < 0)
|
(ret = ff_channel_layouts_ref(channel_layouts,
|
||||||
goto fail;
|
&ctx->outputs[0]->in_channel_layouts)) < 0)
|
||||||
|
return ret;
|
||||||
|
|
||||||
return 0;
|
return ff_channel_layouts_ref(ff_all_channel_counts(),
|
||||||
fail:
|
&ctx->inputs[0]->out_channel_layouts);
|
||||||
if (layouts)
|
|
||||||
av_freep(&layouts->channel_layouts);
|
|
||||||
av_freep(&layouts);
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int channelmap_filter_frame(AVFilterLink *inlink, AVFrame *buf)
|
static int channelmap_filter_frame(AVFilterLink *inlink, AVFrame *buf)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue