mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2024-12-11 17:55:21 +00:00
avfilter/af_amerge: Fix segfault upon allocation failure
The amerge filter uses a variable number of inpads and allocates them
in its init function; if all goes well, the number of inpads coincides
with a number stored in the filter's private context. Yet if allocating a
subsequent inpad fails, the uninit function nevertheless uses the number
stored in the private context to determine the number of inpads to free
and not the AVFilterContext's nb_inputs. This will lead to an access
beyond the end of the allocated AVFilterContext.input_pads array and
an invalid free.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 8f2c1f2cbe
)
This commit is contained in:
parent
9ef7237313
commit
7316177a44
@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge);
|
||||
static av_cold void uninit(AVFilterContext *ctx)
|
||||
{
|
||||
AMergeContext *s = ctx->priv;
|
||||
int i;
|
||||
|
||||
for (i = 0; i < s->nb_inputs; i++) {
|
||||
if (ctx->input_pads)
|
||||
av_freep(&ctx->input_pads[i].name);
|
||||
}
|
||||
av_freep(&s->in);
|
||||
for (unsigned i = 0; i < ctx->nb_inputs; i++)
|
||||
av_freep(&ctx->input_pads[i].name);
|
||||
}
|
||||
|
||||
static int query_formats(AVFilterContext *ctx)
|
||||
|
Loading…
Reference in New Issue
Block a user