[FFmpeg-devel] avcodec/frame_thread_encoder: fix memleak on error

Submitted by Paul B Mahol on Oct. 15, 2019, 5:36 p.m.

Details

Message ID 20191015173615.29800-1-onemda@gmail.com
State New
Headers show

Commit Message

Paul B Mahol Oct. 15, 2019, 5:36 p.m.
Fixes #8281

Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/frame_thread_encoder.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

James Almer Oct. 15, 2019, 5:38 p.m.
On 10/15/2019 2:36 PM, Paul B Mahol wrote:
> Fixes #8281
> 
> Signed-off-by: Paul B Mahol <onemda@gmail.com>
> ---
>  libavcodec/frame_thread_encoder.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c
> index 949bc69f81..ffee242b76 100644
> --- a/libavcodec/frame_thread_encoder.c
> +++ b/libavcodec/frame_thread_encoder.c
> @@ -116,6 +116,7 @@ end:
>  
>  int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
>      int i=0;
> +    AVCodecContext *thread_avctx = NULL;
>      ThreadContext *c;
>  
>  
> @@ -195,7 +196,7 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
>          AVDictionary *tmp = NULL;
>          int ret;
>          void *tmpv;
> -        AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
> +        thread_avctx = avcodec_alloc_context3(avctx->codec);
>          if(!thread_avctx)
>              goto fail;
>          tmpv = thread_avctx->priv_data;
> @@ -236,6 +237,7 @@ fail:
>      avctx->thread_count = i;
>      av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
>      ff_frame_thread_encoder_free(avctx);
> +    avcodec_free_context(&thread_avctx);
>      return -1;
>  }

I thought about this, but if you look at line 202 where it does
"*thread_avctx = *avctx;", isn't there a risk of double frees with
internal fields when avctx is also freed?
Paul B Mahol Oct. 15, 2019, 5:55 p.m.
On 10/15/19, James Almer <jamrial@gmail.com> wrote:
> On 10/15/2019 2:36 PM, Paul B Mahol wrote:
>> Fixes #8281
>>
>> Signed-off-by: Paul B Mahol <onemda@gmail.com>
>> ---
>>  libavcodec/frame_thread_encoder.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/frame_thread_encoder.c
>> b/libavcodec/frame_thread_encoder.c
>> index 949bc69f81..ffee242b76 100644
>> --- a/libavcodec/frame_thread_encoder.c
>> +++ b/libavcodec/frame_thread_encoder.c
>> @@ -116,6 +116,7 @@ end:
>>
>>  int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary
>> *options){
>>      int i=0;
>> +    AVCodecContext *thread_avctx = NULL;
>>      ThreadContext *c;
>>
>>
>> @@ -195,7 +196,7 @@ int ff_frame_thread_encoder_init(AVCodecContext
>> *avctx, AVDictionary *options){
>>          AVDictionary *tmp = NULL;
>>          int ret;
>>          void *tmpv;
>> -        AVCodecContext *thread_avctx =
>> avcodec_alloc_context3(avctx->codec);
>> +        thread_avctx = avcodec_alloc_context3(avctx->codec);
>>          if(!thread_avctx)
>>              goto fail;
>>          tmpv = thread_avctx->priv_data;
>> @@ -236,6 +237,7 @@ fail:
>>      avctx->thread_count = i;
>>      av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
>>      ff_frame_thread_encoder_free(avctx);
>> +    avcodec_free_context(&thread_avctx);
>>      return -1;
>>  }
>
> I thought about this, but if you look at line 202 where it does
> "*thread_avctx = *avctx;", isn't there a risk of double frees with
> internal fields when avctx is also freed?

Yes, there it is.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Patch hide | download patch | download mbox

diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c
index 949bc69f81..ffee242b76 100644
--- a/libavcodec/frame_thread_encoder.c
+++ b/libavcodec/frame_thread_encoder.c
@@ -116,6 +116,7 @@  end:
 
 int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
     int i=0;
+    AVCodecContext *thread_avctx = NULL;
     ThreadContext *c;
 
 
@@ -195,7 +196,7 @@  int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){
         AVDictionary *tmp = NULL;
         int ret;
         void *tmpv;
-        AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
+        thread_avctx = avcodec_alloc_context3(avctx->codec);
         if(!thread_avctx)
             goto fail;
         tmpv = thread_avctx->priv_data;
@@ -236,6 +237,7 @@  fail:
     avctx->thread_count = i;
     av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n");
     ff_frame_thread_encoder_free(avctx);
+    avcodec_free_context(&thread_avctx);
     return -1;
 }