[FFmpeg-devel] [PATCH] wrong usage of av_free_packet in tee pseudo muxer (ticket #4921)

Sat, 10 Oct 2015 07:11:45 -0700 

Dear All,

using tee pseudo muxer I faced an issue.
During applying bit stream filters, when the main packet data buffer is changed, filter_packet function uses a temporary new packet (new_pkt) to store that buffer, frees the original packet (*pkt), and replace it with the new packet.
However, in doing so, it forgets about the side data (side_data and side_data_elems members of AVPacket), which also gets freed by av_free_packet, but is still referenced by new_pkt. Then, when the new packet gets freed again in the normal code path in tee muxer, it attempts to free its side data also which has already been freed.
The solution is simply avoiding freeing the side data by removing that side data reference from the packet. 


This issue is very similar to ticket #3773.


best regards,

Bela Bodecs



>From 92c545600f42ea6f3b503746696a573b417a6b4a Sat, 10 Oct 2015 16:01:30 +0200
From: Bela Bodecs <bode...@vivanet.hu>
Date: Sat, 10 Oct 2015 15:59:03 +0200
Subject: [PATCH] wrong usage of av_free_packet in tee pseudo muxer (ticket #4921)


During applying bit stream filters, when the main packet data buffer is
changed, filter_packet function uses a temporary new packet (new_pkt) to
store that buffer, frees the original packet (*pkt), and replace it with
the new packet.

However, in doing so, it forgets about the side data (side_data and
side_data_elems members of AVPacket), which also gets freed by
av_free_packet, but is still referenced by new_pkt. Then, when the new
packet gets freed again in the normal code path in tee muxer, it
attempts to free its side data also which has already been freed.

The solution is simply avoiding freeing the side data by removing that
side data reference from the packet.


This issue is very similar to ticket #3773.


diff --git a/libavformat/tee.c b/libavformat/tee.c
index c619eae..a86952b 100644
--- a/libavformat/tee.c
+++ b/libavformat/tee.c
@@ -401,10 +401,12 @@
                 break;
             ret = 1;
         }
 
         if (ret > 0) {
+            pkt->side_data = NULL;
+            pkt->side_data_elems = 0;
             av_free_packet(pkt);
             new_pkt.buf = av_buffer_create(new_pkt.data, new_pkt.size,
                                            av_buffer_default_free, NULL, 0);
             if (!new_pkt.buf)
                 break;

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to