Hi, On Tue, Jun 28, 2011 at 11:34 PM, Reinhard Tartler <[email protected]> wrote: > On Wed, Jun 29, 2011 at 07:24:21 (CEST), Ronald S. Bultje wrote: > >> ogg_save() copies streams[], but doesn't keep track of free()'ed >> struct members. Thus, if in between a call to ogg_save() and >> ogg_restore(), streams[].private was free()'ed, this would result >> in a double free -> crash, which happened when e.g. playing small >> chained ogg fragments. >> --- >> libavformat/oggdec.c | 3 ++- >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c >> index f1ad630..998a33b 100644 >> --- a/libavformat/oggdec.c >> +++ b/libavformat/oggdec.c >> @@ -238,7 +238,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) >> >> for (n = 0; n < ogg->nstreams; n++) { >> av_freep(&ogg->streams[n].buf); >> - av_freep(&ogg->streams[n].private); >> + if (!ogg->state || ogg->state->streams[n].private != >> ogg->streams[n].private) >> + av_freep(&ogg->streams[n].private); >> } >> ogg->curidx = -1; >> ogg->nstreams = 0; > > patch makes sense to me and passes fate.
Also a 0.7 backport candidate. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
