RepoMirrors
/
mpv
mirror of https://github.com/mpv-player/mpv
1
0
Fork 0
Code Issues Releases Wiki Activity

audio: fix use-after-free with fuzzed file 

reinit_audio_filters_and_output() can fully shutdown the audio chain on
failure. Specifically, it will deallocate mpctx->ao_chain. The value of
that field was cached in ao_c. The code after the call did not account
that the audio chain can be shutdown, and used the stale ao_c value.

Fixes: #6808
This commit is contained in:
wm4 2019-09-21 21:59:09 +02:00
parent fc7decde73
commit 5858e3cdbd
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
player/audio.c
View File

@ -813,6 +813,8 @@ void fill_audio_out_buffers(struct MPContext *mpctx)
// Probe the initial audio format.
mp_pin_out_request_data(ao_c->filter->f->pins[1]);
reinit_audio_filters_and_output(mpctx);
if (!mpctx->ao_chain)
return;
if (ao_c->filter->got_output_eof &&
mpctx->audio_status != STATUS_EOF)
{