diff mbox series

[FFmpeg-devel,5/9] avformat/rmdec: Fix potential crash on allocation failure

Message ID 20200721021215.32647-3-andreas.rheinhardt@gmail.com
State Accepted
Commit 5aafdb4e5fe3ca8a0d8b16498caf5899a8d68e2c
Headers show
Series [FFmpeg-devel,v2,1/2] avformat: Redo cleanup of demuxer upon read_header() failure | expand


Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Andreas Rheinhardt July 21, 2020, 2:12 a.m. UTC
The RealMedia demuxer uses the priv_data of its streams to store a
structure containing an AVPacket. These packets are unreferenced in the
read_close function, yet said function simply presumed that the
priv_data has been successfully allocated. This implies that it mustn't
be called when an allocation of priv_data fails; but this can happen
since commit 35bbc1955a58ba74552c50d9161084644f00bbd3 if one has a
stream with multiple substreams (also exported as AVStream) and if
allocating the priv_data for one of these substreams fails.

This has been fixed by making sure that read_close can handle the case
in which priv_data has not been successfully allocated.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This here is another reason why every demuxer needs to be carefully
checked for whether it is compatible with calling read_close

 libavformat/rmdec.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series


diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 6851b7e1f4..72b8dba741 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -115,6 +115,9 @@  RMStream *ff_rm_alloc_rmstream (void)
 void ff_rm_free_rmstream (RMStream *rms)
+    if (!rms)
+        return;