mirror of https://git.ffmpeg.org/ffmpeg.git
avfilter/af_amix: Fix double-free of AVFilterChannelLayouts on error
The query_formats function of the amix filter tries to allocate a list of channel layouts which are attached to more permanent objects (an AVFilter's links) for storage afterwards on success. If attaching a list to a link succeeds, the link becomes one of the common owners of the list. Yet if a list has been successfully attached to links (or if there were no links to attach it to in which case ff_set_common_channel_layouts() already frees the list) and an error happens lateron, the list was manually freed, which is wrong, because the list has either already been freed or it is owned by its links in which case these links' pointers to their list will become dangling and there will be double-frees/uses-after-free when these links are cleaned up automatically. This commit fixes this by removing the custom freeing code; this is made possible by using the list in ff_set_common_channel_layouts() directly after its allocation (without anything that can fail in between). Notice that ff_set_common_channel_layouts() is buggy itself which can lead to double-frees on error. This is not fixed in this commit. Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This commit is contained in:
parent
27f35fd121
commit
44e376500f
|
@ -593,25 +593,13 @@ static int query_formats(AVFilterContext *ctx)
|
|||
AV_SAMPLE_FMT_DBL, AV_SAMPLE_FMT_DBLP,
|
||||
AV_SAMPLE_FMT_NONE
|
||||
};
|
||||
AVFilterChannelLayouts *layouts;
|
||||
int ret;
|
||||
|
||||
layouts = ff_all_channel_counts();
|
||||
if (!layouts) {
|
||||
ret = AVERROR(ENOMEM);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if ((ret = ff_set_common_formats(ctx, ff_make_format_list(sample_fmts))) < 0 ||
|
||||
(ret = ff_set_common_channel_layouts(ctx, layouts)) < 0 ||
|
||||
(ret = ff_set_common_samplerates(ctx, ff_all_samplerates())) < 0)
|
||||
goto fail;
|
||||
return 0;
|
||||
fail:
|
||||
if (layouts)
|
||||
av_freep(&layouts->channel_layouts);
|
||||
av_freep(&layouts);
|
||||
return ret;
|
||||
return ret;
|
||||
|
||||
return ff_set_common_channel_layouts(ctx, ff_all_channel_counts());
|
||||
}
|
||||
|
||||
static int process_command(AVFilterContext *ctx, const char *cmd, const char *args,
|
||||
|
|
Loading…
Reference in New Issue