diff mbox series

[FFmpeg-devel] avcodec/hw_base_encode: fix use after free on close

Message ID D4YALSG1G3VH.3ABJR031BO4DH@gmail.com
State New
Headers show
Series [FFmpeg-devel] avcodec/hw_base_encode: fix use after free on close | expand

Commit Message

Marvin Scholz Oct. 17, 2024, 6:23 p.m. UTC 
The way the linked list of images was freed caused a
use after free, by accessing pic->next after pic was
already freed.

Regression from 48a1a12968345bf673db1e1cbb5c64bd3529c50c

Fix CID1633236
---
 libavcodec/hw_base_encode.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)


base-commit: f0e6296ddeaf5c5077f4787080712f8e26a34d77
diff mbox series

Patch

diff --git a/libavcodec/hw_base_encode.c b/libavcodec/hw_base_encode.c
index 912c707a68f..4d8bf4fe71d 100644
--- a/libavcodec/hw_base_encode.c
+++ b/libavcodec/hw_base_encode.c
@@ -802,14 +802,14 @@  int ff_hw_base_encode_init(AVCodecContext *avctx, FFHWBaseEncodeContext *ctx)
     return 0;
 }
 
 int ff_hw_base_encode_close(FFHWBaseEncodeContext *ctx)
 {
-    FFHWBaseEncodePicture *pic;
-
-    for (pic = ctx->pic_start; pic; pic = pic->next)
+    for (FFHWBaseEncodePicture *pic = ctx->pic_start, *next_pic = pic; pic; pic = next_pic) {
+        next_pic = pic->next;
         base_encode_pic_free(pic);
+    }
 
     av_fifo_freep2(&ctx->encode_fifo);
 
     av_frame_free(&ctx->frame);
     av_packet_free(&ctx->tail_pkt);