• Andreas Rheinhardt's avatar
    avcodec/cbs: Fix potential double-free when adding unit fails · ac5d5046
    Andreas Rheinhardt authored
    ff_cbs_insert_unit_data() has two modes of operation: It can insert a
    unit with a newly created reference to an already existing AVBuffer; or
    it can take a buffer and create an AVBuffer for it. Said buffer will
    then become owned by the unit lateron.
    
    A potential memleak/double-free exists in the second case, because if
    creating the AVBuffer fails, the function immediately returns, but when
    it fails lateron, the supplied buffer will be freed. The caller has no
    way to distinguish between these two outcomes. The only such caller
    (cbs_jpeg_split_fragment() in cbs_jpeg.c) opted for a potential
    double-free.
    
    This commit changes this by explicitly stating that a non-refcounted
    buffer will be freed on error. The aforementioned caller has been
    brought in line with this.
    
    Fixes CID 1452623.
    Signed-off-by: 's avatarAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
    ac5d5046
cbs.c 21.5 KB