[FFmpeg-cvslog] avdevice/lavfi: Fix double-free on error

Andreas Rheinhardt git at videolan.org
Sat Sep 30 13:35:27 EEST 2023 

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Fri Sep 29 19:25:39 2023 +0200| [2cb2465cc739aa34f33b70426b0f6c8183cdfa79] | committer: Andreas Rheinhardt

avdevice/lavfi: Fix double-free on error

After the AVFrame has been wrapped into a buffer,
it is owned by the buffer and must not be freed manually
any more. Yet this happens on subsequent errors.

This bug was introduced in 6ca43a9675d651d7ea47c7ba2fafb1bf831c4d0b.

Reviewed-by: Timo Rothenpieler <timo at rothenpieler.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2cb2465cc739aa34f33b70426b0f6c8183cdfa79
---

 libavdevice/lavfi.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c
index ec7ebdbc90..2bfd0b81c7 100644
--- a/libavdevice/lavfi.c
+++ b/libavdevice/lavfi.c
@@ -365,7 +365,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
     LavfiContext *lavfi = avctx->priv_data;
     double min_pts = DBL_MAX;
     int stream_idx, min_pts_sink_idx = 0;
-    AVFrame *frame;
+    AVFrame *frame, *frame_to_free;
     AVDictionary *frame_metadata;
     int ret, i;
     AVStream *st;
@@ -378,6 +378,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
     frame = av_frame_alloc();
     if (!frame)
         return AVERROR(ENOMEM);
+    frame_to_free = frame;
 
     /* iterate through all the graph sinks. Select the sink with the
      * minimum PTS */
@@ -423,6 +424,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt)
             ret = AVERROR(ENOMEM);
             goto fail;
         }
+        frame_to_free = NULL;
 
         pkt->data   = pkt->buf->data;
         pkt->size   = pkt->buf->size;
@@ -463,12 +465,11 @@ FF_DISABLE_DEPRECATION_WARNINGS
 FF_ENABLE_DEPRECATION_WARNINGS
 #endif
 
-    if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
-        av_frame_free(&frame);
+    av_frame_free(&frame_to_free);
 
     return pkt->size;
 fail:
-    av_frame_free(&frame);
+    av_frame_free(&frame_to_free);
     return ret;
 
 }

More information about the ffmpeg-cvslog mailing list