avfilter/af_headphone: Fix segfault upon allocation failure

The headphone filter uses a variable number of inpads and allocates them in its init function; if all goes well, the number of inpads coincides with a number stored in the filter's private context. Yet if allocating a subsequent inpad fails, the uninit function nevertheless uses the number stored in the private context to determine the number of inpads to free and not the AVFilterContext's nb_inputs. This will lead to an access beyond the end of the allocated AVFilterContext.input_pads array and an invalid free. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
4 years ago · 0960da42f5
parent e07541930a
commit 0960da42f5
1 changed files with 2 additions and 5 deletions
--- a/libavfilter/af_headphone.c
+++ b/libavfilter/af_headphone.c
@ -812,7 +812,6 @@ static int config_output(AVFilterLink *outlink)
 static av_cold void uninit(AVFilterContext *ctx)
 {
    HeadphoneContext *s = ctx->priv;
-    int i;

    av_fft_end(s->ifft[0]);
    av_fft_end(s->ifft[1]);
@ -834,11 +833,9 @@ static av_cold void uninit(AVFilterContext *ctx)
    av_freep(&s->data_hrtf[1]);
    av_freep(&s->fdsp);

-    for (i = 0; i < s->nb_inputs; i++) {
-        if (ctx->input_pads && i)
-            av_freep(&ctx->input_pads[i].name);
-    }
    av_freep(&s->in);
+    for (unsigned i = 1; i < ctx->nb_inputs; i++)
+        av_freep(&ctx->input_pads[i].name);
 }

 #define OFFSET(x) offsetof(HeadphoneContext, x)