Commit adea33f4 authored by Andreas Rheinhardt's avatar Andreas Rheinhardt Committed by Michael Niedermayer

avfilter/vf_paletteuse: Fix potential double-free of AVFrame

apply_palette() would free an AVFrame given to it only via an AVFrame *
(and not via AVFrame **) in three of its four exists (namely in the
normal path and in two error paths). So upon error the caller has no way
to know whether the frame has already been freed or not;
load_apply_palette(), the only caller, opted to free the frame in this
scenario.

This commit changes this by making apply_palette not freeing the frame
at all, which is left to load_apply_palette().

Fixes Coverity issue #1452434.
Signed-off-by: 's avatarAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: 's avatarPaul B Mahol <onemda@gmail.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 4566cfed
...@@ -903,7 +903,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) ...@@ -903,7 +903,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf)
AVFrame *out = ff_get_video_buffer(outlink, outlink->w, outlink->h); AVFrame *out = ff_get_video_buffer(outlink, outlink->w, outlink->h);
if (!out) { if (!out) {
av_frame_free(&in);
*outf = NULL; *outf = NULL;
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
} }
...@@ -916,7 +915,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) ...@@ -916,7 +915,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf)
if (av_frame_ref(s->last_in, in) < 0 || if (av_frame_ref(s->last_in, in) < 0 ||
av_frame_ref(s->last_out, out) < 0 || av_frame_ref(s->last_out, out) < 0 ||
av_frame_make_writable(s->last_in) < 0) { av_frame_make_writable(s->last_in) < 0) {
av_frame_free(&in);
av_frame_free(&out); av_frame_free(&out);
*outf = NULL; *outf = NULL;
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
...@@ -934,7 +932,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) ...@@ -934,7 +932,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf)
memcpy(out->data[1], s->palette, AVPALETTE_SIZE); memcpy(out->data[1], s->palette, AVPALETTE_SIZE);
if (s->calc_mean_err) if (s->calc_mean_err)
debug_mean_error(s, in, out, inlink->frame_count_out); debug_mean_error(s, in, out, inlink->frame_count_out);
av_frame_free(&in);
*outf = out; *outf = out;
return 0; return 0;
} }
...@@ -1023,20 +1020,17 @@ static int load_apply_palette(FFFrameSync *fs) ...@@ -1023,20 +1020,17 @@ static int load_apply_palette(FFFrameSync *fs)
if (ret < 0) if (ret < 0)
return ret; return ret;
if (!master || !second) { if (!master || !second) {
ret = AVERROR_BUG; av_frame_free(&master);
goto error; return AVERROR_BUG;
} }
if (!s->palette_loaded) { if (!s->palette_loaded) {
load_palette(s, second); load_palette(s, second);
} }
ret = apply_palette(inlink, master, &out); ret = apply_palette(inlink, master, &out);
av_frame_free(&master);
if (ret < 0) if (ret < 0)
goto error; return ret;
return ff_filter_frame(ctx->outputs[0], out); return ff_filter_frame(ctx->outputs[0], out);
error:
av_frame_free(&master);
return ret;
} }
#define DEFINE_SET_FRAME(color_search, name, value) \ #define DEFINE_SET_FRAME(color_search, name, value) \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment