From 906f9dce85eeb8c7f29ed2a37ec737a64c0275c6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 28 Jun 2012 20:55:04 +0200 Subject: [PATCH] avplay: fix write on freed memory for rawvideo Do not assume avpacket and the decoded frames are independent. To be absolutely sure and not sprinkle av_free_packet around the code the call had been placed before getting the frame and on the error path. --- avplay.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/avplay.c b/avplay.c index 71844c274d..e05016964b 100644 --- a/avplay.c +++ b/avplay.c @@ -1597,6 +1597,7 @@ static int configure_video_filters(AVFilterGraph *graph, VideoState *is, const c static int video_thread(void *arg) { + AVPacket pkt = { 0 }; VideoState *is = arg; AVFrame *frame = avcodec_alloc_frame(); int64_t pts_int; @@ -1617,7 +1618,6 @@ static int video_thread(void *arg) #endif for (;;) { - AVPacket pkt; #if CONFIG_AVFILTER AVFilterBufferRef *picref; AVRational tb; @@ -1625,10 +1625,11 @@ static int video_thread(void *arg) while (is->paused && !is->videoq.abort_request) SDL_Delay(10); + av_free_packet(&pkt); + ret = get_video_frame(is, frame, &pts_int, &pkt); if (ret < 0) goto the_end; - av_free_packet(&pkt); if (!ret) continue; @@ -1708,6 +1709,7 @@ static int video_thread(void *arg) av_freep(&vfilters); avfilter_graph_free(&graph); #endif + av_free_packet(&pkt); av_free(frame); return 0; }