[FFmpeg-cvslog] avformat/segment: Fix segfault when error happens and segment list is output

Andreas Rheinhardt git at videolan.org
Thu Sep 10 14:44:40 EEST 2020 

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at gmail.com> | Sat Sep  5 18:12:27 2020 +0200| [936d967871562e36e307126b59e4e6bbb3a3bab7] | committer: Andreas Rheinhardt

avformat/segment: Fix segfault when error happens and segment list is output

The segment muxer has an option to output a file containing a list of
the segments written. The AVIOContext used for writing this file is
opened via the main AVFormatContext's io_open callback; seg_free()
meanwhile unconditionally closes this AVIOContext by calling
ff_format_io_close() with the child muxer (the one for the actual output
format) as AVFormatContext.

The problem hereby is that the child AVFormatContext need not exist,
even when the AVIOContext does. This leads to a segfault in
ff_format_io_close() when the child muxer's io_close callback is called.

Situations in which the AVFormatContext can be NULL range from an
invalid reference stream parameter to an unavailable/bogus/unsupported
output format to inability to allocate the AVFormatContext.

The solution is to simply close the AVIOContext with the AVFormatContext
that was used to open it: The main AVFormatContext.

Reviewed-by: Ridley Combs <rcombs at rcombs.me>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=936d967871562e36e307126b59e4e6bbb3a3bab7
---

 libavformat/segment.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/segment.c b/libavformat/segment.c
index e84dc7a426..858ccf8697 100644
--- a/libavformat/segment.c
+++ b/libavformat/segment.c
@@ -659,7 +659,7 @@ static int select_reference_stream(AVFormatContext *s)
 static void seg_free(AVFormatContext *s)
 {
     SegmentContext *seg = s->priv_data;
-    ff_format_io_close(seg->avf, &seg->list_pb);
+    ff_format_io_close(s, &seg->list_pb);
     avformat_free_context(seg->avf);
     seg->avf = NULL;
     av_freep(&seg->times);

More information about the ffmpeg-cvslog mailing list