From da44bbefaabeb2fdb58a03fe533a44aa150486fc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 27 Mar 2020 08:31:29 +0100 Subject: [PATCH] avformat/avidec: Fix memleak with embedded GAB2 subtitles The code for GAB2 subtitles predates refcounting AVPackets. So in order to transfer the ownership of a packet's data pkt->data was simply stored and the packet zeroed; in the end (i.e. in the read_close-function) this data was then simply freed with av_freep(). This of course leads to a leak of an AVBufferRef and an AVBuffer. It has been fixed by keeping and eventually unreferencing the packet's buf instead. Additionally, the packet is now reset via av_packet_unref(). Signed-off-by: Andreas Rheinhardt --- libavformat/avidec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 87298513c2..5fc3e01aa9 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -60,7 +60,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -1116,8 +1116,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1909,7 +1910,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } }