[FFmpeg-devel] [PATCH] vf_pullup: simplify, fix double free error

Tue Mar 25 13:59:58 CET 2014

The memory allocation for f->diffs was freed multiple times in some
corner cases. Simplify the code so that this doesn't happen. In fact,
the body of free_field_queue restores the original MPlayer code.
---
Sorry for not providing a reproducible test case, but for me this
happened de to a very weird interaction with my application. I
suspect this can happen when initializing the filter, but not
filtering any frames. But I didn't attempt to confirm this.
---
 libavfilter/vf_pullup.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/libavfilter/vf_pullup.c b/libavfilter/vf_pullup.c
index 58d4d7a..9a3fc05 100644
--- a/libavfilter/vf_pullup.c
+++ b/libavfilter/vf_pullup.c
@@ -126,20 +126,18 @@ static int alloc_metrics(PullupContext *s, PullupField *f)
     return 0;
 }
 
-static void free_field_queue(PullupField *head, PullupField **last)
+static void free_field_queue(PullupField *head)
 {
     PullupField *f = head;
-    while (f) {
+    do {
+        if (!f)
+            break;
         av_free(f->diffs);
         av_free(f->combs);
         av_free(f->vars);
-        if (f == *last) {
-            av_freep(last);
-            break;
-        }
         f = f->next;
-        av_freep(&f->prev);
-    };
+        av_free(f->prev);
+    } while (f != head);
 }
 
 static PullupField *make_field_queue(PullupContext *s, int len)
@@ -158,14 +156,14 @@ static PullupField *make_field_queue(PullupContext *s, int len)
     for (; len > 0; len--) {
         f->next = av_mallocz(sizeof(*f->next));
         if (!f->next) {
-            free_field_queue(head, &f);
+            free_field_queue(head);
             return NULL;
         }
 
         f->next->prev = f;
         f = f->next;
         if (alloc_metrics(s, f) < 0) {
-            free_field_queue(head, &f);
+            free_field_queue(head);
             return NULL;
         }
     }
@@ -736,7 +734,8 @@ static av_cold void uninit(AVFilterContext *ctx)
     PullupContext *s = ctx->priv;
     int i;
 
-    free_field_queue(s->head, &s->last);
+    free_field_queue(s->head);
+    s->last = NULL;
 
     for (i = 0; i < FF_ARRAY_ELEMS(s->buffers); i++) {
         av_freep(&s->buffers[i].planes[0]);
-- 
1.9.1

