On Wed, Jun 29, 2011 at 07:24:21 (CEST), Ronald S. Bultje wrote:
> ogg_save() copies streams[], but doesn't keep track of free()'ed
> struct members. Thus, if in between a call to ogg_save() and
> ogg_restore(), streams[].private was free()'ed, this would result
> in a double free -> crash, which happened when e.g. playing small
> chained ogg fragments.
> ---
> libavformat/oggdec.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
> index f1ad630..998a33b 100644
> --- a/libavformat/oggdec.c
> +++ b/libavformat/oggdec.c
> @@ -238,7 +238,8 @@ static int ogg_read_page(AVFormatContext *s, int *str)
>
> for (n = 0; n < ogg->nstreams; n++) {
> av_freep(&ogg->streams[n].buf);
> - av_freep(&ogg->streams[n].private);
> + if (!ogg->state || ogg->state->streams[n].private !=
> ogg->streams[n].private)
> + av_freep(&ogg->streams[n].private);
> }
> ogg->curidx = -1;
> ogg->nstreams = 0;
patch makes sense to me and passes fate.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
