Skip to content

V
vlc
Commit 51bbaf06 authored by Francois Cartegnie's avatar Francois Cartegnie
Browse files
Options

demux: avformat: fix double free with io buffer (fix #15903) 

As mentioned by documentation
"It may be freed and replaced with a new buffer by libavformat."
" AVIOContext.buffer holds the buffer currently in use"
parent cacb1931
Hide whitespace changes
Inline Side-by-side
Showing with 32 additions and 9 deletions
modules/demux/avformat/demux.c
View file @ 51bbaf06
...@@ -64,9 +64,6 @@ ...@@ -64,9 +64,6 @@
*****************************************************************************/ *****************************************************************************/
struct demux_sys_t struct demux_sys_t
{ {
int io_buffer_size;
uint8_t *io_buffer;
AVInputFormat *fmt; AVInputFormat *fmt;
AVFormatContext *ic; AVFormatContext *ic;
...@@ -84,6 +81,8 @@ struct demux_sys_t ...@@ -84,6 +81,8 @@ struct demux_sys_t
input_title_t *p_title; input_title_t *p_title;
}; };
#define AVFORMAT_IOBUFFER_SIZE 32768 /* FIXME */
/***************************************************************************** /*****************************************************************************
* Local prototypes * Local prototypes
*****************************************************************************/ *****************************************************************************/
...@@ -285,12 +284,33 @@ int OpenDemux( vlc_object_t *p_this ) ...@@ -285,12 +284,33 @@ int OpenDemux( vlc_object_t *p_this )
p_sys->p_title = NULL; p_sys->p_title = NULL;
/* Create I/O wrapper */ /* Create I/O wrapper */
p_sys->io_buffer_size = 32768; /* FIXME */ unsigned char * p_io_buffer = malloc( AVFORMAT_IOBUFFER_SIZE );
p_sys->io_buffer = xmalloc( p_sys->io_buffer_size ); if( !p_io_buffer )
{
free( psz_url );
CloseDemux( p_this );
return VLC_ENOMEM;
}
p_sys->ic = avformat_alloc_context(); p_sys->ic = avformat_alloc_context();
AVIOContext *pb = p_sys->ic->pb = avio_alloc_context( p_sys->io_buffer, if( !p_sys->ic )
p_sys->io_buffer_size, 0, p_demux, IORead, NULL, IOSeek ); {
free( p_io_buffer );
free( psz_url );
CloseDemux( p_this );
return VLC_ENOMEM;
}
AVIOContext *pb = p_sys->ic->pb = avio_alloc_context( p_io_buffer,
AVFORMAT_IOBUFFER_SIZE, 0, p_demux, IORead, NULL, IOSeek );
if( !pb )
{
free( p_io_buffer );
free( psz_url );
CloseDemux( p_this );
return VLC_ENOMEM;
}
p_sys->ic->pb->seekable = b_can_seek ? AVIO_SEEKABLE_NORMAL : 0; p_sys->ic->pb->seekable = b_can_seek ? AVIO_SEEKABLE_NORMAL : 0;
error = avformat_open_input(&p_sys->ic, psz_url, p_sys->fmt, NULL); error = avformat_open_input(&p_sys->ic, psz_url, p_sys->fmt, NULL);
...@@ -663,7 +683,11 @@ void CloseDemux( vlc_object_t *p_this ) ...@@ -663,7 +683,11 @@ void CloseDemux( vlc_object_t *p_this )
if( p_sys->ic ) if( p_sys->ic )
{ {
av_free( p_sys->ic->pb ); if( p_sys->ic->pb )
{
av_free( p_sys->ic->pb->buffer );
av_free( p_sys->ic->pb );
}
#if LIBAVFORMAT_VERSION_INT >= ((53<<16)+(26<<8)+0) #if LIBAVFORMAT_VERSION_INT >= ((53<<16)+(26<<8)+0)
avformat_close_input( &p_sys->ic ); avformat_close_input( &p_sys->ic );
#else #else
...@@ -678,7 +702,6 @@ void CloseDemux( vlc_object_t *p_this ) ...@@ -678,7 +702,6 @@ void CloseDemux( vlc_object_t *p_this )
if( p_sys->p_title ) if( p_sys->p_title )
vlc_input_title_Delete( p_sys->p_title ); vlc_input_title_Delete( p_sys->p_title );
free( p_sys->io_buffer );
free( p_sys ); free( p_sys );
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment