[FFmpeg-devel] [PATCH] avcodec/hw_base_encode: fix use after free on close
Marvin Scholz
epirat07 at gmail.com
Thu Oct 17 21:23:40 EEST 2024
The way the linked list of images was freed caused a
use after free, by accessing pic->next after pic was
already freed.
Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c
Fix CID1633236
---
libavcodec/hw_base_encode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c
index 912c707a68f..4d8bf4fe71d 100644
--- a/libavcodec/hw_base_encode.c
+++ b/libavcodec/hw_base_encode.c
@@ -802,14 +802,14 @@ int ff_hw_base_encode_init(AVCodecContext *avctx, FFHWBaseEncodeContext *ctx)
return 0;
}
int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx)
{
- FFHWBaseEncodePicture *pic;
-
- for (pic = ctx->pic_start; pic; pic = pic->next)
+ for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic; pic = next_pic) {
+ next_pic = pic->next;
base_encode_pic_free(pic);
+ }
av_fifo_freep2(&ctx->encode_fifo);
av_frame_free(&ctx->frame);
av_packet_free(&ctx->tail_pkt);
base-commit: f0e6296ddeaf5c5077f4787080712f8e26a34d77
--
2.47.0
More information about the ffmpeg-devel
mailing list