From 5c22c90c1d5050f1206e46494b193320ac2397cb Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 5 Nov 2017 13:35:40 -0300 Subject: [PATCH] vp9_superframe_bsf: cache packets by creating new references instead of moving pointers Fixes invalid reads after free. Signed-off-by: James Almer --- libavcodec/vp9_superframe_bsf.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp9_superframe_bsf.c b/libavcodec/vp9_superframe_bsf.c index 3669216009..ad66cb599b 100644 --- a/libavcodec/vp9_superframe_bsf.c +++ b/libavcodec/vp9_superframe_bsf.c @@ -148,8 +148,9 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *out) goto done; } - s->cache[s->n_cache++] = in; - in = NULL; + res = av_packet_ref(s->cache[s->n_cache++], in); + if (res < 0) + goto done; if (invisible) { res = AVERROR(EAGAIN); goto done; @@ -165,7 +166,7 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *out) goto done; for (n = 0; n < s->n_cache; n++) - av_packet_free(&s->cache[n]); + av_packet_unref(s->cache[n]); s->n_cache = 0; done: @@ -175,13 +176,28 @@ done: return res; } +static int vp9_superframe_init(AVBSFContext *ctx) +{ + VP9BSFContext *s = ctx->priv_data; + int n; + + // alloc cache packets + for (n = 0; n < MAX_CACHE; n++) { + s->cache[n] = av_packet_alloc(); + if (!s->cache[n]) + return AVERROR(ENOMEM); + } + + return 0; +} + static void vp9_superframe_close(AVBSFContext *ctx) { VP9BSFContext *s = ctx->priv_data; int n; // free cached data - for (n = 0; n < s->n_cache; n++) + for (n = 0; n < MAX_CACHE; n++) av_packet_free(&s->cache[n]); } @@ -193,6 +209,7 @@ const AVBitStreamFilter ff_vp9_superframe_bsf = { .name = "vp9_superframe", .priv_data_size = sizeof(VP9BSFContext), .filter = vp9_superframe_filter, + .init = vp9_superframe_init, .close = vp9_superframe_close, .codec_ids = codec_ids, };