On 17/10/2024 20:23, Marvin Scholz wrote:
The way the linked list of images was freed caused a use after free, by accessing pic->next after pic was already freed.Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c Fix CID1633236 --- libavcodec/hw_base_encode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c index 912c707a68f..4d8bf4fe71d 100644 --- a/libavcodec/hw_base_encode.c +++ b/libavcodec/hw_base_encode.c @@ -802,14 +802,14 @@ int ff_hw_base_encode_init(AVCodecContext *avctx, FFHWBaseEncodeContext *ctx) return 0; }int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx){ - FFHWBaseEncodePicture *pic; - - for (pic = ctx->pic_start; pic; pic = pic->next) + for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic; pic = next_pic) { + next_pic = pic->next; base_encode_pic_free(pic); + }av_fifo_freep2(&ctx->encode_fifo); av_frame_free(&ctx->frame);av_packet_free(&ctx->tail_pkt); base-commit: f0e6296ddeaf5c5077f4787080712f8e26a34d77
Thanks, pushed.
OpenPGP_0xA2FEA5F03F034464.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
