forked from pool/ffmpeg-4
32 lines
1.1 KiB
Diff
32 lines
1.1 KiB
Diff
From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
|
|
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
|
Date: Sun, 24 Sep 2023 13:15:48 +0200
|
|
Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
|
|
|
|
After having created the AVBuffer that is put into frame->buf[0],
|
|
ownership of several objects (namely an AVDRMFrameDescriptor,
|
|
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
|
|
has passed to the AVBuffer and therefore to the frame.
|
|
Yet it has nevertheless been freed manually on error
|
|
afterwards, which would lead to a double-free as soon
|
|
as the AVFrame is unreferenced.
|
|
|
|
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
|
---
|
|
libavcodec/rkmppdec.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
--- a/libavcodec/rkmppdec.c
|
|
+++ b/libavcodec/rkmppdec.c
|
|
@@ -460,8 +460,8 @@
|
|
|
|
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
|
|
if (!frame->hw_frames_ctx) {
|
|
- ret = AVERROR(ENOMEM);
|
|
- goto fail;
|
|
+ av_frame_unref(frame);
|
|
+ return AVERROR(ENOMEM);
|
|
}
|
|
|
|
return 0;
|