Some callers (like do_subtitle_out()) call this with an AVPacket that is
not refcounted. This can cause undefined behavior.
Calling av_packet_move_ref() does not make a packet refcounted if it
isn't yet. (And it can't be made to, because it always succeeds,
and can't return ENOMEM.)
Call av_packet_ref() instead to make sure it's refcounted.
I couldn't find a case that is fixed by this with the current code. But
it will fix the fate-pva-demux test with the later patches applied.
Signed-off-by: wm4 <nfx...@googlemail.com>
---
ffmpeg.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ffmpeg.c b/ffmpeg.c
index 06570c0dd0..913c18d92b 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -654,7 +654,7 @@ static void write_packet(OutputFile *of, AVPacket *pkt,
OutputStream *ost)
int ret;
if (!of->header_written) {
- AVPacket tmp_pkt;
+ AVPacket tmp_pkt = {0};
/* the muxer is not initialized yet, buffer the packet */
if (!av_fifo_space(ost->muxing_queue)) {
int new_size = FFMIN(2 * av_fifo_size(ost->muxing_queue),
@@ -669,8 +669,11 @@ static void write_packet(OutputFile *of, AVPacket *pkt,
OutputStream *ost)
if (ret < 0)
exit_program(1);
}
- av_packet_move_ref(&tmp_pkt, pkt);
+ ret = av_packet_ref(&tmp_pkt, pkt);
+ if (ret < 0)
+ exit_program(1);
av_fifo_generic_write(ost->muxing_queue, &tmp_pkt, sizeof(tmp_pkt),
NULL);
+ av_packet_unref(pkt);
return;
}
--
2.11.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
