From 936d967871562e36e307126b59e4e6bbb3a3bab7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 5 Sep 2020 18:12:27 +0200 Subject: [PATCH] avformat/segment: Fix segfault when error happens and segment list is output The segment muxer has an option to output a file containing a list of the segments written. The AVIOContext used for writing this file is opened via the main AVFormatContext's io_open callback; seg_free() meanwhile unconditionally closes this AVIOContext by calling ff_format_io_close() with the child muxer (the one for the actual output format) as AVFormatContext. The problem hereby is that the child AVFormatContext need not exist, even when the AVIOContext does. This leads to a segfault in ff_format_io_close() when the child muxer's io_close callback is called. Situations in which the AVFormatContext can be NULL range from an invalid reference stream parameter to an unavailable/bogus/unsupported output format to inability to allocate the AVFormatContext. The solution is to simply close the AVIOContext with the AVFormatContext that was used to open it: The main AVFormatContext. Reviewed-by: Ridley Combs Signed-off-by: Andreas Rheinhardt --- libavformat/segment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index e84dc7a426..858ccf8697 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -659,7 +659,7 @@ static int select_reference_stream(AVFormatContext *s) static void seg_free(AVFormatContext *s) { SegmentContext *seg = s->priv_data; - ff_format_io_close(seg->avf, &seg->list_pb); + ff_format_io_close(s, &seg->list_pb); avformat_free_context(seg->avf); seg->avf = NULL; av_freep(&seg->times);