[vlc-commits] demux: avformat: fix double free with io buffer (fix #15903)

Francois Cartegnie git at videolan.org
Wed Nov 18 11:51:22 CET 2015 

vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Nov 18 10:55:07 2015 +0100| [51bbaf06e0510ea921890158992e39af5a7b6f42] | committer: Francois Cartegnie

demux: avformat: fix double free with io buffer (fix #15903)

As mentioned by documentation
"It may be freed and replaced with a new buffer by libavformat."
" AVIOContext.buffer holds the buffer currently in use"

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=51bbaf06e0510ea921890158992e39af5a7b6f42
---

 modules/demux/avformat/demux.c |   41 +++++++++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c
index f8f7657..39c9898 100644
--- a/modules/demux/avformat/demux.c
+++ b/modules/demux/avformat/demux.c
@@ -64,9 +64,6 @@
  *****************************************************************************/
 struct demux_sys_t
 {
-    int             io_buffer_size;
-    uint8_t        *io_buffer;
-
     AVInputFormat  *fmt;
     AVFormatContext *ic;
 
@@ -84,6 +81,8 @@ struct demux_sys_t
     input_title_t *p_title;
 };
 
+#define AVFORMAT_IOBUFFER_SIZE 32768  /* FIXME */
+
 /*****************************************************************************
  * Local prototypes
  *****************************************************************************/
@@ -285,12 +284,33 @@ int OpenDemux( vlc_object_t *p_this )
     p_sys->p_title = NULL;
 
     /* Create I/O wrapper */
-    p_sys->io_buffer_size = 32768;  /* FIXME */
-    p_sys->io_buffer = xmalloc( p_sys->io_buffer_size );
+    unsigned char * p_io_buffer = malloc( AVFORMAT_IOBUFFER_SIZE );
+    if( !p_io_buffer )
+    {
+        free( psz_url );
+        CloseDemux( p_this );
+        return VLC_ENOMEM;
+    }
 
     p_sys->ic = avformat_alloc_context();
-    AVIOContext *pb = p_sys->ic->pb = avio_alloc_context( p_sys->io_buffer,
-        p_sys->io_buffer_size, 0, p_demux, IORead, NULL, IOSeek );
+    if( !p_sys->ic )
+    {
+        free( p_io_buffer );
+        free( psz_url );
+        CloseDemux( p_this );
+        return VLC_ENOMEM;
+    }
+
+    AVIOContext *pb = p_sys->ic->pb = avio_alloc_context( p_io_buffer,
+        AVFORMAT_IOBUFFER_SIZE, 0, p_demux, IORead, NULL, IOSeek );
+    if( !pb )
+    {
+        free( p_io_buffer );
+        free( psz_url );
+        CloseDemux( p_this );
+        return VLC_ENOMEM;
+    }
+
     p_sys->ic->pb->seekable = b_can_seek ? AVIO_SEEKABLE_NORMAL : 0;
     error = avformat_open_input(&p_sys->ic, psz_url, p_sys->fmt, NULL);
 
@@ -663,7 +683,11 @@ void CloseDemux( vlc_object_t *p_this )
 
     if( p_sys->ic )
     {
-        av_free( p_sys->ic->pb );
+        if( p_sys->ic->pb )
+        {
+            av_free( p_sys->ic->pb->buffer );
+            av_free( p_sys->ic->pb );
+        }
 #if LIBAVFORMAT_VERSION_INT >= ((53<<16)+(26<<8)+0)
         avformat_close_input( &p_sys->ic );
 #else
@@ -678,7 +702,6 @@ void CloseDemux( vlc_object_t *p_this )
     if( p_sys->p_title )
         vlc_input_title_Delete( p_sys->p_title );
 
-    free( p_sys->io_buffer );
     free( p_sys );
 }

More information about the vlc-commits mailing list