Module: libav
Branch: master
Commit: c42b62d1f9641f10ffc23cad9abbe47d8a4a165b
Author: Mark Thompson <s...@jkqxz.net>
Committer: Mark Thompson <s...@jkqxz.net>
Date: Sun Aug 20 22:46:17 2017 +0100
h264_metadata: Fix double-free
Whether the udu string should be freed depends on whether the SEI it
gets added to was created internally by cbs or externally by the bsf.
The current code frees it twice in the former case.
---
libavcodec/h264_metadata_bsf.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/libavcodec/h264_metadata_bsf.c b/libavcodec/h264_metadata_bsf.c
index 9bf96b3..1afa501 100644
--- a/libavcodec/h264_metadata_bsf.c
+++ b/libavcodec/h264_metadata_bsf.c
@@ -293,7 +293,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket
*out)
H264RawSEI *sei;
H264RawSEIPayload *payload;
H264RawSEIUserDataUnregistered *udu;
- int sei_pos;
+ int sei_pos, sei_new;
for (i = 0; i < au->nb_units; i++) {
if (au->units[i].type == H264_NAL_SEI ||
@@ -305,8 +305,10 @@ static int h264_metadata_filter(AVBSFContext *bsf,
AVPacket *out)
if (sei_pos < au->nb_units &&
au->units[sei_pos].type == H264_NAL_SEI) {
+ sei_new = 0;
sei = au->units[sei_pos].content;
} else {
+ sei_new = 1;
sei = &ctx->sei_nal;
memset(sei, 0, sizeof(*sei));
@@ -354,6 +356,12 @@ static int h264_metadata_filter(AVBSFContext *bsf,
AVPacket *out)
payload->payload_size = 16 + udu->data_length;
+ if (!sei_new) {
+ // This will be freed by the existing internal
+ // reference in fragment_uninit().
+ sei_udu_string = NULL;
+ }
+
} else {
invalid_user_data:
av_log(bsf, AV_LOG_ERROR, "Invalid user data: "
_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits
