vp9_superframe_bsf: cache packets by creating new references instead of moving pointers

Fixes invalid reads after free.

Signed-off-by: James Almer <jamrial@gmail.com>
pull/272/head
James Almer 7 years ago
parent 0ccddbad20
commit 5c22c90c1d
  1. 25
      libavcodec/vp9_superframe_bsf.c

@ -148,8 +148,9 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *out)
goto done; goto done;
} }
s->cache[s->n_cache++] = in; res = av_packet_ref(s->cache[s->n_cache++], in);
in = NULL; if (res < 0)
goto done;
if (invisible) { if (invisible) {
res = AVERROR(EAGAIN); res = AVERROR(EAGAIN);
goto done; goto done;
@ -165,7 +166,7 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *out)
goto done; goto done;
for (n = 0; n < s->n_cache; n++) for (n = 0; n < s->n_cache; n++)
av_packet_free(&s->cache[n]); av_packet_unref(s->cache[n]);
s->n_cache = 0; s->n_cache = 0;
done: done:
@ -175,13 +176,28 @@ done:
return res; return res;
} }
static int vp9_superframe_init(AVBSFContext *ctx)
{
VP9BSFContext *s = ctx->priv_data;
int n;
// alloc cache packets
for (n = 0; n < MAX_CACHE; n++) {
s->cache[n] = av_packet_alloc();
if (!s->cache[n])
return AVERROR(ENOMEM);
}
return 0;
}
static void vp9_superframe_close(AVBSFContext *ctx) static void vp9_superframe_close(AVBSFContext *ctx)
{ {
VP9BSFContext *s = ctx->priv_data; VP9BSFContext *s = ctx->priv_data;
int n; int n;
// free cached data // free cached data
for (n = 0; n < s->n_cache; n++) for (n = 0; n < MAX_CACHE; n++)
av_packet_free(&s->cache[n]); av_packet_free(&s->cache[n]);
} }
@ -193,6 +209,7 @@ const AVBitStreamFilter ff_vp9_superframe_bsf = {
.name = "vp9_superframe", .name = "vp9_superframe",
.priv_data_size = sizeof(VP9BSFContext), .priv_data_size = sizeof(VP9BSFContext),
.filter = vp9_superframe_filter, .filter = vp9_superframe_filter,
.init = vp9_superframe_init,
.close = vp9_superframe_close, .close = vp9_superframe_close,
.codec_ids = codec_ids, .codec_ids = codec_ids,
}; };

Loading…
Cancel
Save