From 121bc6ad62a75eb4a3c9cbd2d4f96fcd18593ac9 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 15 Feb 2020 14:07:46 +0100 Subject: [PATCH] demux_timeline: fix another cursed memory management issue The timeline stuff has messed up memory management because there are no clear ownership rules between a some demuxer instances (master or demux_timeline) and the timeline object itself. This is another subtle problem that happened: apparently, demux_timeline.open is supposed to take over ownership of timeline, but only on success. If it fails, it's not supposed to free it. It didn't follow this, which lead to a double-free if demux_timeline.open failed. The failure path in demux.c calls both timeline_destroy() and demux_timeline.close on failure. --- demux/demux_timeline.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/demux/demux_timeline.c b/demux/demux_timeline.c index a657efdab2..cdad24f02d 100644 --- a/demux/demux_timeline.c +++ b/demux/demux_timeline.c @@ -78,6 +78,7 @@ struct virtual_source { struct priv { struct timeline *tl; + bool owns_tl; double duration; @@ -614,6 +615,7 @@ static int d_open(struct demuxer *demuxer, enum demux_check check) reselect_streams(demuxer); + p->owns_tl = true; return 0; } @@ -629,9 +631,11 @@ static void d_close(struct demuxer *demuxer) close_lazy_segments(demuxer, src); } - struct demuxer *master = p->tl->demuxer; - timeline_destroy(p->tl); - demux_free(master); + if (p->owns_tl) { + struct demuxer *master = p->tl->demuxer; + timeline_destroy(p->tl); + demux_free(master); + } } static void d_switched_tracks(struct demuxer *demuxer)