avdevice/lavfi: Fix double-free on error

After the AVFrame has been wrapped into a buffer,
it is owned by the buffer and must not be freed manually
any more. Yet this happens on subsequent errors.

This bug was introduced in 6ca43a9675.

Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
Andreas Rheinhardt 2023-09-29 19:25:39 +02:00
parent 9a3bbf89bd
commit 2cb2465cc7

View File

@ -365,7 +365,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
LavfiContext *lavfi = avctx->priv_data; LavfiContext *lavfi = avctx->priv_data;
double min_pts = DBL_MAX; double min_pts = DBL_MAX;
int stream_idx, min_pts_sink_idx = 0; int stream_idx, min_pts_sink_idx = 0;
AVFrame *frame; AVFrame *frame, *frame_to_free;
AVDictionary *frame_metadata; AVDictionary *frame_metadata;
int ret, i; int ret, i;
AVStream *st; AVStream *st;
@ -378,6 +378,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
frame = av_frame_alloc(); frame = av_frame_alloc();
if (!frame) if (!frame)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
frame_to_free = frame;
/* iterate through all the graph sinks. Select the sink with the /* iterate through all the graph sinks. Select the sink with the
* minimum PTS */ * minimum PTS */
@ -423,6 +424,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
ret = AVERROR(ENOMEM); ret = AVERROR(ENOMEM);
goto fail; goto fail;
} }
frame_to_free = NULL;
pkt->data = pkt->buf->data; pkt->data = pkt->buf->data;
pkt->size = pkt->buf->size; pkt->size = pkt->buf->size;
@ -463,12 +465,11 @@ FF_DISABLE_DEPRECATION_WARNINGS
FF_ENABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS
#endif #endif
if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) av_frame_free(&frame_to_free);
av_frame_free(&frame);
return pkt->size; return pkt->size;
fail: fail:
av_frame_free(&frame); av_frame_free(&frame_to_free);
return ret; return ret;
} }