From bebaeaeaa976f39cfed380a742b2a5daa139277e Mon Sep 17 00:00:00 2001 From: Richard Stanway Date: Wed, 20 Apr 2016 02:51:40 +0200 Subject: [PATCH] libff: Fix heap corruption caused by unnecessary av_dup_packet call There's no need to duplicate the packet as the reference count will be 1 after the av_read_frame call. Duplicating causes heap corruption when a synthetic clock packet is duplicated and assigned the buffer from the stack-based temporary packet which is then double-freed by the decoder thread. --- deps/libff/libff/ff-packet-queue.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/deps/libff/libff/ff-packet-queue.c b/deps/libff/libff/ff-packet-queue.c index 4a26262eb..dd85dd416 100644 --- a/deps/libff/libff/ff-packet-queue.c +++ b/deps/libff/libff/ff-packet-queue.c @@ -61,10 +61,6 @@ int packet_queue_put(struct ff_packet_queue *q, struct ff_packet *packet) { struct ff_packet_list *new_packet; - if (packet != &q->flush_packet - && av_dup_packet(&packet->base) < 0) - return FF_PACKET_FAIL; - new_packet = av_malloc(sizeof(struct ff_packet_list)); if (new_packet == NULL)