[vlc-commits] demux: avformat: fix double free with io buffer (fix #15903)
Francois Cartegnie
git at videolan.org
Sun Nov 22 21:32:23 CET 2015
vlc/vlc-2.2 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Nov 18 10:55:07 2015 +0100| [945cf175155793c852fddb30e723d0c6218e4f20] | committer: Jean-Baptiste Kempf
demux: avformat: fix double free with io buffer (fix #15903)
As mentioned by documentation
"It may be freed and replaced with a new buffer by libavformat."
" AVIOContext.buffer holds the buffer currently in use"
(cherry picked from commit 51bbaf06e0510ea921890158992e39af5a7b6f42)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=945cf175155793c852fddb30e723d0c6218e4f20
---
modules/demux/avformat/demux.c | 41 +++++++++++++++++++++++++++++++---------
1 file changed, 32 insertions(+), 9 deletions(-)
diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c
index ff6d740..71aaf34 100644
--- a/modules/demux/avformat/demux.c
+++ b/modules/demux/avformat/demux.c
@@ -64,9 +64,6 @@
*****************************************************************************/
struct demux_sys_t
{
- int io_buffer_size;
- uint8_t *io_buffer;
-
AVInputFormat *fmt;
AVFormatContext *ic;
@@ -84,6 +81,8 @@ struct demux_sys_t
input_title_t *p_title;
};
+#define AVFORMAT_IOBUFFER_SIZE 32768 /* FIXME */
+
/*****************************************************************************
* Local prototypes
*****************************************************************************/
@@ -285,12 +284,33 @@ int OpenDemux( vlc_object_t *p_this )
p_sys->p_title = NULL;
/* Create I/O wrapper */
- p_sys->io_buffer_size = 32768; /* FIXME */
- p_sys->io_buffer = xmalloc( p_sys->io_buffer_size );
+ unsigned char * p_io_buffer = malloc( AVFORMAT_IOBUFFER_SIZE );
+ if( !p_io_buffer )
+ {
+ free( psz_url );
+ CloseDemux( p_this );
+ return VLC_ENOMEM;
+ }
p_sys->ic = avformat_alloc_context();
- AVIOContext *pb = p_sys->ic->pb = avio_alloc_context( p_sys->io_buffer,
- p_sys->io_buffer_size, 0, p_demux, IORead, NULL, IOSeek );
+ if( !p_sys->ic )
+ {
+ free( p_io_buffer );
+ free( psz_url );
+ CloseDemux( p_this );
+ return VLC_ENOMEM;
+ }
+
+ AVIOContext *pb = p_sys->ic->pb = avio_alloc_context( p_io_buffer,
+ AVFORMAT_IOBUFFER_SIZE, 0, p_demux, IORead, NULL, IOSeek );
+ if( !pb )
+ {
+ free( p_io_buffer );
+ free( psz_url );
+ CloseDemux( p_this );
+ return VLC_ENOMEM;
+ }
+
p_sys->ic->pb->seekable = b_can_seek ? AVIO_SEEKABLE_NORMAL : 0;
error = avformat_open_input(&p_sys->ic, psz_url, p_sys->fmt, NULL);
@@ -670,7 +690,11 @@ void CloseDemux( vlc_object_t *p_this )
if( p_sys->ic )
{
- av_free( p_sys->ic->pb );
+ if( p_sys->ic->pb )
+ {
+ av_free( p_sys->ic->pb->buffer );
+ av_free( p_sys->ic->pb );
+ }
#if LIBAVFORMAT_VERSION_INT >= ((53<<16)+(26<<8)+0)
avformat_close_input( &p_sys->ic );
#else
@@ -685,7 +709,6 @@ void CloseDemux( vlc_object_t *p_this )
if( p_sys->p_title )
vlc_input_title_Delete( p_sys->p_title );
- free( p_sys->io_buffer );
free( p_sys );
}
More information about the vlc-commits
mailing list