avio: redesign ffio_rewind_with_probe_data()

This prevents a double free Fixes CID718285 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avio: redesign ffio_rewind_with_probe_data()
This prevents a double free Fixes CID718285 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
120b38b9 · Michael Niedermayer · 54b2d317 · 120b38b9 · 120b38b9 · 120b38b9
Commit 120b38b9 authored Oct 13, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 7 deletions

avio_internal.h libavformat/avio_internal.h +1 -1

aviobuf.c libavformat/aviobuf.c +9 -4

utils.c libavformat/utils.c +1 -2

No files found.
--- a/libavformat/avio_internal.h
+++ b/libavformat/avio_internal.h
@@ -64,7 +64,7 @@ static av_always_inline void ffio_wfourcc(AVIOContext *pb, const uint8_t *s)
 * @return 0 in case of success, a negative value corresponding to an
 * AVERROR code in case of failure
 */
-int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char *buf, int buf_size);
+int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char **buf, int buf_size);
 uint64_t ffio_read_varlen(AVIOContext *bc);

--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -726,27 +726,32 @@ static int url_resetbuf(AVIOContext *s, int flags)
    return 0;
 }
-int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char *buf, int buf_size)
+int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char **bufp, int buf_size)
 {
    int64_t buffer_start;
    int buffer_size;
    int overlap, new_size, alloc_size;
+    uint8_t *buf = *bufp;
-    if (s->write_flag)
+    if (s->write_flag) {
+        av_freep(bufp);
        return AVERROR(EINVAL);
+    }
    buffer_size = s->buf_end - s->buffer;
    /* the buffers must touch or overlap */
-    if ((buffer_start = s->pos - buffer_size) > buf_size)
+    if ((buffer_start = s->pos - buffer_size) > buf_size) {
+        av_freep(bufp);
        return AVERROR(EINVAL);
+    }
    overlap = buf_size - buffer_start;
    new_size = buf_size + buffer_size - overlap;
    alloc_size = FFMAX(s->buffer_size, new_size);
    if (alloc_size > buf_size)
-        if (!(buf = av_realloc_f(buf, 1, alloc_size)))
+        if (!(buf = (*bufp) = av_realloc_f(buf, 1, alloc_size)))
            return AVERROR(ENOMEM);
    if (new_size > buf_size) {

--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -470,8 +470,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
    }
    /* rewind. reuse probe buffer to avoid seeking */
-    if ((ret = ffio_rewind_with_probe_data(pb, buf, pd.buf_size)) < 0)
+    ret = ffio_rewind_with_probe_data(pb, &buf, pd.buf_size);
-        av_free(buf);
    return ret;
 }