[FFmpeg-devel] [PATCH] Fix leak by dereferencing audio frame when side data causes whole frame skip

Michael Niedermayer michaelni at gmx.at
Tue May 7 01:32:37 CEST 2013 

On Mon, May 06, 2013 at 03:42:51PM -0700, Matthew Wolenetz wrote:
> This patch fixes a memory leak in avcodec_decode_audio4() when
> refcounted_frames are enabled and side data size causes a whole frame to be
> skipped.
> 
> Please review to ensure it is not introducing use-after-free possibilities.
> 
> I believe that, along with d18341fb1121332056aecc00096159df16d01, issue
> #2529 is fixed with this patch.
> make fate passes and valgrind shows no remaining leaks for the sample
> attached to issue #2529.
> 
> Matt

>  utils.c |    2 ++
>  1 file changed, 2 insertions(+)
> 7d1dbb509ab2eedb62dc4e80dfa1493d6fd6c591  0001-Fix-leak-by-dereferencing-audio-frame-when-side-data.patch
> From d3b37f424317e99e52563ffab820c9f1d61ff5bd Mon Sep 17 00:00:00 2001
> From: Matt Wolenetz <wolenetz at chromium.org>
> Date: Mon, 6 May 2013 14:44:17 -0700
> Subject: [PATCH] Fix leak by dereferencing audio frame when side data causes
>  whole frame skip
> 
> ---
>  libavcodec/utils.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavcodec/utils.c b/libavcodec/utils.c
> index 4136d9f..0bce107 100644
> --- a/libavcodec/utils.c
> +++ b/libavcodec/utils.c
> @@ -2103,6 +2103,8 @@ int attribute_align_arg avcodec_decode_audio4(AVCodecContext *avctx,
>          if (avctx->internal->skip_samples && *got_frame_ptr) {
>              if(frame->nb_samples <= avctx->internal->skip_samples){
>                  *got_frame_ptr = 0;
> +                if (avctx->refcounted_frames)
> +                    av_frame_unref(frame);
>                  avctx->internal->skip_samples -= frame->nb_samples;

the unref must be after reading frame->nb_samples
patch applied with these 2 swapped

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20130507/1f3bb713/attachment.asc>

More information about the ffmpeg-devel mailing list