[FFmpeg-devel] [PATCH] avcodec/hw_base_encode: fix use after free on close
Lynne
dev at lynne.ee
Fri Oct 18 12:19:45 EEST 2024
On 17/10/2024 20:23, Marvin Scholz wrote:
> The way the linked list of images was freed caused a
> use after free, by accessing pic->next after pic was
> already freed.
>
> Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c
>
> Fix CID1633236
> ---
> libavcodec/hw_base_encode.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c
> index 912c707a68f..4d8bf4fe71d 100644
> --- a/libavcodec/hw_base_encode.c
> +++ b/libavcodec/hw_base_encode.c
> @@ -802,14 +802,14 @@ int ff_hw_base_encode_init(AVCodecContext *avctx, FFHWBaseEncodeContext *ctx)
> return 0;
> }
>
> int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx)
> {
> - FFHWBaseEncodePicture *pic;
> -
> - for (pic = ctx->pic_start; pic; pic = pic->next)
> + for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic; pic = next_pic) {
> + next_pic = pic->next;
> base_encode_pic_free(pic);
> + }
>
> av_fifo_freep2(&ctx->encode_fifo);
>
> av_frame_free(&ctx->frame);
> av_packet_free(&ctx->tail_pkt);
>
> base-commit: f0e6296ddeaf5c5077f4787080712f8e26a34d77
Thanks, pushed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xA2FEA5F03F034464.asc
Type: application/pgp-keys
Size: 624 bytes
Desc: OpenPGP public key
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241018/09155be7/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241018/09155be7/attachment.sig>
More information about the ffmpeg-devel
mailing list