On 2024-10-17 20:23 +0200, Marvin Scholz wrote:
> The way the linked list of images was freed caused a
> use after free, by accessing pic->next after pic was
> already freed.
>
> Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c
>
> Fix CID1633236
> ---
> libavcodec/hw_base_encode.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c
> index 912c707a68f..4d8bf4fe71d 100644
> --- a/libavcodec/hw_base_encode.c
> +++ b/libavcodec/hw_base_encode.c
> @@ -802,14 +802,14 @@ int ff_hw_base_encode_init(AVCodecContext *avctx,
> FFHWBaseEncodeContext *ctx)
> return 0;
> }
>
> int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx)
> {
> - FFHWBaseEncodePicture *pic;
> -
> - for (pic = ctx->pic_start; pic; pic = pic->next)
> + for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic;
> pic = next_pic) {
> + next_pic = pic->next;
> base_encode_pic_free(pic);
> + }
LGTM
I think it would be better to name next_pic just next.
So the line would look like:
next = pic->next;
That would be in line with the other 2 similar loops in the file.
Alexander
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
