diff mbox series

[FFmpeg-devel] avformat/asfdec: init avpacket by av_packet_alloc()

Message ID 20220111023025.72632-1-13102179620@163.com
State New
Headers show
Series [FFmpeg-devel] avformat/asfdec: init avpacket by av_packet_alloc() | expand

Checks

Context Check Description
andriy/commit_msg_x86 warning Please wrap lines in the body of the commit message between 60 and 72 characters.
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/commit_msg_ppc warning Please wrap lines in the body of the commit message between 60 and 72 characters.
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished
andriy/commit_msg_armv7_RPi4 warning Please wrap lines in the body of the commit message between 60 and 72 characters.
andriy/make_armv7_RPi4 success Make finished
andriy/make_fate_armv7_RPi4 success Make fate finished
andriy/commit_msg_aarch64_jetson warning Please wrap lines in the body of the commit message between 60 and 72 characters.
andriy/make_aarch64_jetson success Make finished
andriy/make_fate_aarch64_jetson success Make fate finished

Commit Message

YuTong Song Jan. 11, 2022, 2:30 a.m. UTC 
From: Yang Xiao <yshaw99@outlook.com>

This commit fixed a crash when seeking wma frames, asf decoder will try to demux in function asf_read_pts().
Pointer member side_data of AVPacket that allocated by stack may be wild pointer.
Prevent releasing wild pointers in AVPacket when some functions try to call av_packet_unref, example av_read_frame().
---
 libavformat/asfdec_f.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Almer Jan. 11, 2022, 2:35 a.m. UTC | #1 
On 1/10/2022 11:30 PM, 13102179620@163.com wrote:
> From: Yang Xiao <yshaw99@outlook.com>
> 
> This commit fixed a crash when seeking wma frames, asf decoder will try to demux in function asf_read_pts().
> Pointer member side_data of AVPacket that allocated by stack may be wild pointer.
> Prevent releasing wild pointers in AVPacket when some functions try to call av_packet_unref, example av_read_frame().
> ---
>   libavformat/asfdec_f.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
> index a8f36ed286..8cf953830e 100644
> --- a/libavformat/asfdec_f.c
> +++ b/libavformat/asfdec_f.c
> @@ -1433,7 +1433,7 @@ static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
>   {
>       FFFormatContext *const si = ffformatcontext(s);
>       ASFContext *asf     = s->priv_data;
> -    AVPacket pkt1, *pkt = &pkt1;
> +    AVPacket *pkt = av_packet_alloc();

You're not checking pkt for allocation failure, and you're never freeing 
it after using it, so it will leak.

>       ASFStream *asf_st;
>       int64_t pts;
>       int64_t pos = *ppos;
diff mbox series

Patch

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a8f36ed286..8cf953830e 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1433,7 +1433,7 @@  static int64_t asf_read_pts(AVFormatContext *s, int stream_index,
 {
     FFFormatContext *const si = ffformatcontext(s);
     ASFContext *asf     = s->priv_data;
-    AVPacket pkt1, *pkt = &pkt1;
+    AVPacket *pkt = av_packet_alloc();
     ASFStream *asf_st;
     int64_t pts;
     int64_t pos = *ppos;