Message ID | 20230121012030.1471-1-aicommander@gmail.com |
---|---|
State | Accepted |
Commit | 669ff26bc283c39334e7df3a81fd0db0088a7442 |
Headers | show |
Series | [FFmpeg-devel] avcodec/mfenc: fix double-free on init failure | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Fri, 20 Jan 2023, Cameron Gutman wrote: > mfenc sets FF_CODEC_CAP_INIT_CLEANUP, so calling mf_close() on > failure inside mf_init() results in a double-free. > > Signed-off-by: Cameron Gutman <aicommander@gmail.com> > --- > libavcodec/mfenc.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c > index 36a6d8482d..f3415df10b 100644 > --- a/libavcodec/mfenc.c > +++ b/libavcodec/mfenc.c > @@ -1214,7 +1214,6 @@ static int mf_init(AVCodecContext *avctx) > return 0; > } > } > - mf_close(avctx); > return ret; > } This change looks correct to me - thanks for that! However I think it'd be even nicer if we could make mf_close safe to call multiple times at the same time (but the duplicate call should of course still be removed); if we'd reset c->codec_api and c->async_events to NULL, it would be safe to call multiple times, right? // Martin
diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c index 36a6d8482d..f3415df10b 100644 --- a/libavcodec/mfenc.c +++ b/libavcodec/mfenc.c @@ -1214,7 +1214,6 @@ static int mf_init(AVCodecContext *avctx) return 0; } } - mf_close(avctx); return ret; }
mfenc sets FF_CODEC_CAP_INIT_CLEANUP, so calling mf_close() on failure inside mf_init() results in a double-free. Signed-off-by: Cameron Gutman <aicommander@gmail.com> --- libavcodec/mfenc.c | 1 - 1 file changed, 1 deletion(-)