aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--NEWS2
-rw-r--r--src/decoder/plugins/FfmpegDecoderPlugin.cxx17
2 files changed, 15 insertions, 4 deletions
diff --git a/NEWS b/NEWS
index 9c44eaf0a..7b5d6df07 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
ver 0.19.11 (not yet released)
* tags
- ape: fix buffer overflow
+* decoder
+ - ffmpeg: fix crash due to wrong avio_alloc_context() call
* encoder
- flac: fix crash with 32 bit playback
diff --git a/src/decoder/plugins/FfmpegDecoderPlugin.cxx b/src/decoder/plugins/FfmpegDecoderPlugin.cxx
index d5191a3c3..689089107 100644
--- a/src/decoder/plugins/FfmpegDecoderPlugin.cxx
+++ b/src/decoder/plugins/FfmpegDecoderPlugin.cxx
@@ -92,14 +92,14 @@ struct AvioStream {
AVIOContext *io;
- unsigned char buffer[8192];
-
AvioStream(Decoder *_decoder, InputStream &_input)
:decoder(_decoder), input(_input), io(nullptr) {}
~AvioStream() {
- if (io != nullptr)
+ if (io != nullptr) {
+ av_free(io->buffer);
av_free(io);
+ }
}
bool Open();
@@ -153,11 +153,20 @@ mpd_ffmpeg_stream_seek(void *opaque, int64_t pos, int whence)
bool
AvioStream::Open()
{
- io = avio_alloc_context(buffer, sizeof(buffer),
+ constexpr size_t BUFFER_SIZE = 8192;
+ auto buffer = (unsigned char *)av_malloc(BUFFER_SIZE);
+ if (buffer == nullptr)
+ return false;
+
+ io = avio_alloc_context(buffer, BUFFER_SIZE,
false, this,
mpd_ffmpeg_stream_read, nullptr,
input.IsSeekable()
? mpd_ffmpeg_stream_seek : nullptr);
+ /* If avio_alloc_context() fails, who frees the buffer? The
+ libavformat API documentation does not specify this, it
+ only says that AVIOContext.buffer must be freed in the end,
+ however no AVIOContext exists in that failure code path. */
return io != nullptr;
}