From 7316177a44fcd325dff8d19a382c83a51f1dfacc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 24 Aug 2020 05:46:08 +0200 Subject: [PATCH] avfilter/af_amerge: Fix segfault upon allocation failure The amerge filter uses a variable number of inpads and allocates them in its init function; if all goes well, the number of inpads coincides with a number stored in the filter's private context. Yet if allocating a subsequent inpad fails, the uninit function nevertheless uses the number stored in the private context to determine the number of inpads to free and not the AVFilterContext's nb_inputs. This will lead to an access beyond the end of the allocated AVFilterContext.input_pads array and an invalid free. Reviewed-by: Nicolas George Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8f2c1f2cbe77685435362f1940b637a6c3ff1934) --- libavfilter/af_amerge.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c index 567f25982d..eb8b467157 100644 --- a/libavfilter/af_amerge.c +++ b/libavfilter/af_amerge.c @@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge); static av_cold void uninit(AVFilterContext *ctx) { AMergeContext *s = ctx->priv; - int i; - for (i = 0; i < s->nb_inputs; i++) { - if (ctx->input_pads) - av_freep(&ctx->input_pads[i].name); - } av_freep(&s->in); + for (unsigned i = 0; i < ctx->nb_inputs; i++) + av_freep(&ctx->input_pads[i].name); } static int query_formats(AVFilterContext *ctx)