avcodec/qsvenc: Fix leak and crash when encoding H.264 due to A53_CC

Since commit 3bbe0c210b, the Payloads
array of every QSVFrame leaks as soon as the frame is reused;
the leak is small and not very noticeable, but if there is an attempt
to use said array the ensuing crash is much more noticeable.
This happens when encoding H.264 with A53 CC side data.

Furthermore, if said array can not be allocated at all, an AVFrame
leaks.

Fix all of this by not allocating the array separately at all; put it
in QSVFrame instead and restore the Payloads array upon reusing the
frame.

Finally, use av_freep() instead of av_free() to free the payload
entries.

Reviewed-by: Xiang, Haihao <haihao.xiang@intel.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
pull/375/head
Andreas Rheinhardt 3 years ago
parent e22dff43e7
commit 1cdbccaa16
  1. 2
      libavcodec/qsv_internal.h
  2. 10
      libavcodec/qsvenc.c

@ -76,6 +76,8 @@ typedef struct QSVFrame {
mfxExtDecodedFrameInfo dec_info; mfxExtDecodedFrameInfo dec_info;
mfxExtBuffer *ext_param; mfxExtBuffer *ext_param;
mfxPayload *payloads[QSV_MAX_ENC_PAYLOAD]; ///< used for enc_ctrl.Payload
int queued; int queued;
int used; int used;

@ -1259,7 +1259,7 @@ static void free_encoder_ctrl_payloads(mfxEncodeCtrl* enc_ctrl)
if (enc_ctrl) { if (enc_ctrl) {
int i; int i;
for (i = 0; i < enc_ctrl->NumPayload && i < QSV_MAX_ENC_PAYLOAD; i++) { for (i = 0; i < enc_ctrl->NumPayload && i < QSV_MAX_ENC_PAYLOAD; i++) {
av_free(enc_ctrl->Payload[i]); av_freep(&enc_ctrl->Payload[i]);
} }
enc_ctrl->NumPayload = 0; enc_ctrl->NumPayload = 0;
} }
@ -1273,6 +1273,7 @@ static void clear_unused_frames(QSVEncContext *q)
free_encoder_ctrl_payloads(&cur->enc_ctrl); free_encoder_ctrl_payloads(&cur->enc_ctrl);
//do not reuse enc_ctrl from previous frame //do not reuse enc_ctrl from previous frame
memset(&cur->enc_ctrl, 0, sizeof(cur->enc_ctrl)); memset(&cur->enc_ctrl, 0, sizeof(cur->enc_ctrl));
cur->enc_ctrl.Payload = cur->payloads;
if (cur->frame->format == AV_PIX_FMT_QSV) { if (cur->frame->format == AV_PIX_FMT_QSV) {
av_frame_unref(cur->frame); av_frame_unref(cur->frame);
} }
@ -1309,11 +1310,7 @@ static int get_free_frame(QSVEncContext *q, QSVFrame **f)
av_freep(&frame); av_freep(&frame);
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
} }
frame->enc_ctrl.Payload = av_mallocz(sizeof(mfxPayload*) * QSV_MAX_ENC_PAYLOAD); frame->enc_ctrl.Payload = frame->payloads;
if (!frame->enc_ctrl.Payload) {
av_freep(&frame);
return AVERROR(ENOMEM);
}
*last = frame; *last = frame;
*f = frame; *f = frame;
@ -1615,7 +1612,6 @@ int ff_qsv_enc_close(AVCodecContext *avctx, QSVEncContext *q)
while (cur) { while (cur) {
q->work_frames = cur->next; q->work_frames = cur->next;
av_frame_free(&cur->frame); av_frame_free(&cur->frame);
av_free(cur->enc_ctrl.Payload);
av_freep(&cur); av_freep(&cur);
cur = q->work_frames; cur = q->work_frames;
} }

Loading…
Cancel
Save