From patchwork Tue Jul 31 09:41:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: avconv: make sure packets put into the muxing FIFO are refcounted X-Patchwork-Submitter: =?utf-8?q?Martin_Storsj=C3=B6?= X-Patchwork-Id: 64324 Message-Id: <20180731094130.88513-1-martin@martin.st> To: libav-devel@libav.org Date: Tue, 31 Jul 2018 12:41:30 +0300 From: =?utf-8?q?Martin_Storsj=C3=B6?= List-Id: libav development From: wm4 Some callers (like do_subtitle_out(), or do_streamcopy()) call this with an AVPacket that is not refcounted. This can cause undefined behavior. Calling av_packet_move_ref() does not make a packet refcounted if it isn't yet. (And it can't be made to, because it always succeeds, and can't return ENOMEM.) Call av_packet_ref() instead to make sure it's refcounted. --- avtools/avconv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/avtools/avconv.c b/avtools/avconv.c index ac15464a8d..3abb7f872f 100644 --- a/avtools/avconv.c +++ b/avtools/avconv.c @@ -281,7 +281,7 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost) int ret; if (!of->header_written) { - AVPacket tmp_pkt; + AVPacket tmp_pkt = {0}; /* the muxer is not initialized yet, buffer the packet */ if (!av_fifo_space(ost->muxing_queue)) { int new_size = FFMIN(2 * av_fifo_size(ost->muxing_queue), @@ -296,8 +296,11 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost) if (ret < 0) exit_program(1); } - av_packet_move_ref(&tmp_pkt, pkt); + ret = av_packet_ref(&tmp_pkt, pkt); + if (ret < 0) + exit_program(1); av_fifo_generic_write(ost->muxing_queue, &tmp_pkt, sizeof(tmp_pkt), NULL); + av_packet_unref(pkt); return; }