diff options
| author | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2020-08-07 13:23:30 +0200 |
|---|---|---|
| committer | Andreas Rheinhardt <andreas.rheinhardt@gmail.com> | 2021-02-27 07:20:57 +0100 |
| commit | ac5eb3c75115efc857017e15ea1e435ba2b46f37 (patch) | |
| tree | 1aeafd82bee04429aee7ecc4998adc351d91563d /libavfilter | |
| parent | 74b47138a39b36a67531e5e3d17713ae265a1555 (diff) | |
| download | ffmpeg-ac5eb3c75115efc857017e15ea1e435ba2b46f37.tar.gz | |
avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error
The query_formats function of the showpalette filter tries to allocate
two lists of formats which on success are attached to more permanent objects
(AVFilterLinks) for storage afterwards. If attaching a list to an
AVFilterLink succeeds, the link becomes one (in this case the only one)
of the owners of the list. Yet if attaching the first list to its link
succeeds and attaching the second list fails, both lists were manually
freed, which means that the first link's pointer to the first list
becomes dangling and there will be a double-free when the first link is
cleaned up automatically.
This commit fixes this by removing the custom free code; this will
temporarily add a leaking codepath (if attaching a list to a link fails,
the list will leak), but this will be fixed shortly by making sure that
an AVFilterFormats without owner will be automatically freed when
attaching it to an AVFilterLink fails. Notice at most one list leaks
because as of this commit a new list is only allocated after the old list
has been successfully attached to a link.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 76909c97c68c79d3c0353de83418a112595e9798)
Diffstat (limited to 'libavfilter')
| -rw-r--r-- | libavfilter/vf_showpalette.c | 25 |
1 files changed, 6 insertions, 19 deletions
diff --git a/libavfilter/vf_showpalette.c b/libavfilter/vf_showpalette.c index 5b0772bc0b..0e9c0b3510 100644 --- a/libavfilter/vf_showpalette.c +++ b/libavfilter/vf_showpalette.c @@ -46,26 +46,13 @@ static int query_formats(AVFilterContext *ctx) { static const enum AVPixelFormat in_fmts[] = {AV_PIX_FMT_PAL8, AV_PIX_FMT_NONE}; static const enum AVPixelFormat out_fmts[] = {AV_PIX_FMT_RGB32, AV_PIX_FMT_NONE}; - int ret; - AVFilterFormats *in = ff_make_format_list(in_fmts); - AVFilterFormats *out = ff_make_format_list(out_fmts); - if (!in || !out) { - ret = AVERROR(ENOMEM); - goto fail; - } + int ret = ff_formats_ref(ff_make_format_list(in_fmts), + &ctx->inputs[0]->out_formats); + if (ret < 0) + return ret; - if ((ret = ff_formats_ref(in , &ctx->inputs[0]->out_formats)) < 0 || - (ret = ff_formats_ref(out, &ctx->outputs[0]->in_formats)) < 0) - goto fail; - return 0; -fail: - if (in) - av_freep(&in->formats); - av_freep(&in); - if (out) - av_freep(&out->formats); - av_freep(&out); - return ret; + return ff_formats_ref(ff_make_format_list(out_fmts), + &ctx->outputs[0]->in_formats); } static int config_output(AVFilterLink *outlink) |