The way the linked list of images was freed caused a
use after free, by accessing pic->next after pic was
already freed.
Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c
Fix CID1633236
---
libavcodec/hw_base_encode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c
index 912c707a68f..4d8bf4fe71d 100644
--- a/libavcodec/hw_base_encode.c
+++ b/libavcodec/hw_base_encode.c
@@ -802,14 +802,14 @@ int ff_hw_base_encode_init(AVCodecContext *avctx,
FFHWBaseEncodeContext *ctx)
return 0;
}
int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx)
{
- FFHWBaseEncodePicture *pic;
-
- for (pic = ctx->pic_start; pic; pic = pic->next)
+ for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic;
pic = next_pic) {
+ next_pic = pic->next;
base_encode_pic_free(pic);
+ }
av_fifo_freep2(&ctx->encode_fifo);
av_frame_free(&ctx->frame);
av_packet_free(&ctx->tail_pkt);
base-commit: f0e6296ddeaf5c5077f4787080712f8e26a34d77
--
2.47.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
