decoder/ffmpeg: fix crash due to wrong avio_alloc_context() call

Allocate the buffer dynamically using av_malloc(), and free
AVIOContext.buffer in the destructor, as mandated by the libavformat
documentation.

Fixes http://bugs.musicpd.org/view.php?id=4446

2 files changed, 15 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 9c44eaf0a..7b5d6df07 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 ver 0.19.11 (not yet released)
 * tags
   - ape: fix buffer overflow
+* decoder
+  - ffmpeg: fix crash due to wrong avio_alloc_context() call
 * encoder
   - flac: fix crash with 32 bit playback
 
diff --git a/src/decoder/plugins/FfmpegDecoderPlugin.cxx b/src/decoder/plugins/FfmpegDecoderPlugin.cxx
index d5191a3c3..689089107 100644
--- a/src/decoder/plugins/FfmpegDecoderPlugin.cxx
+++ b/src/decoder/plugins/FfmpegDecoderPlugin.cxx
@@ -92,14 +92,14 @@ struct AvioStream {
 
 	AVIOContext *io;
 
-	unsigned char buffer[8192];
-
 	AvioStream(Decoder *_decoder, InputStream &_input)
 		:decoder(_decoder), input(_input), io(nullptr) {}
 
 	~AvioStream() {
-		if (io != nullptr)
+		if (io != nullptr) {
+			av_free(io->buffer);
 			av_free(io);
+		}
 	}
 
 	bool Open();
@@ -153,11 +153,20 @@ mpd_ffmpeg_stream_seek(void *opaque, int64_t pos, int whence)
 bool
 AvioStream::Open()
 {
-	io = avio_alloc_context(buffer, sizeof(buffer),
+	constexpr size_t BUFFER_SIZE = 8192;
+	auto buffer = (unsigned char *)av_malloc(BUFFER_SIZE);
+	if (buffer == nullptr)
+		return false;
+
+	io = avio_alloc_context(buffer, BUFFER_SIZE,
 				false, this,
 				mpd_ffmpeg_stream_read, nullptr,
 				input.IsSeekable()
 				? mpd_ffmpeg_stream_seek : nullptr);
+	/* If avio_alloc_context() fails, who frees the buffer?  The
+	   libavformat API documentation does not specify this, it
+	   only says that AVIOContext.buffer must be freed in the end,
+	   however no AVIOContext exists in that failure code path. */
 	return io != nullptr;
 }