The amerge filter uses a variable number of inpads and allocates them
in its init function; if all goes well, the number of inpads coincides
with a number stored in the filter's private context. Yet if allocating a
subsequent inpad fails, the uninit function nevertheless uses the number
stored in the private context to determine the number of inpads to free
and not the AVFilterContext's nb_inputs. This will lead to an access
beyond the end of the allocated AVFilterContext.input_pads array and
an invalid free.
Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@gmail.com>
---
libavfilter/af_amerge.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libavfilter/af_amerge.c b/libavfilter/af_amerge.c
index ca94a224af..93f6f17d22 100644
--- a/libavfilter/af_amerge.c
+++ b/libavfilter/af_amerge.c
@@ -58,13 +58,10 @@ AVFILTER_DEFINE_CLASS(amerge);
static av_cold void uninit(AVFilterContext *ctx)
{
AMergeContext *s = ctx->priv;
- int i;
- for (i = 0; i < s->nb_inputs; i++) {
- if (ctx->input_pads)
- av_freep(&ctx->input_pads[i].name);
- }
av_freep(&s->in);
+ for (unsigned i = 0; i < ctx->nb_inputs; i++)
+ av_freep(&ctx->input_pads[i].name);
}
static int query_formats(AVFilterContext *ctx)
--
2.20.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
