ffmpeg | branch: release/4.4 | Andreas Rheinhardt <andreas.rheinha...@outlook.com> | Wed Oct 6 17:21:04 2021 +0200| [bdb5f6e7f8ea9b37e0dedd34b4ef1887c02d4db4] | committer: Andreas Rheinhardt
avfilter/asrc_flite: Fix use-after-frees When an flite filter instance is uninitialized and the refcount of the corresponding voice_entry reaches zero, the voice is unregistered, yet the voice_entry's pointer to the voice is not reset. (Whereas some other pointers are needlessly reset.) Because of this a new flite filter instance will believe said voice to already be registered, leading to use-after-frees. Fix this by resetting the right pointer instead of the wrong ones. Reviewed-by: Paul B Mahol <one...@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@outlook.com> (cherry picked from commit 18ddb25c7a58404641de2f6aa68220bd509e376c) > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bdb5f6e7f8ea9b37e0dedd34b4ef1887c02d4db4 --- libavfilter/asrc_flite.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/asrc_flite.c b/libavfilter/asrc_flite.c index 71924e7e1a..6373ae761d 100644 --- a/libavfilter/asrc_flite.c +++ b/libavfilter/asrc_flite.c @@ -197,10 +197,10 @@ static av_cold void uninit(AVFilterContext *ctx) FliteContext *flite = ctx->priv; if (flite->voice_entry) { - if (!--flite->voice_entry->usage_count) + if (!--flite->voice_entry->usage_count) { flite->voice_entry->unregister_fn(flite->voice); - flite->voice = NULL; - flite->voice_entry = NULL; + flite->voice_entry->voice = NULL; + } } delete_wave(flite->wave); flite->wave = NULL; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
