decoder/ffmpeg: fix crash due to wrong avio_alloc_context() call

Allocate the buffer dynamically using av_malloc(), and free AVIOContext.buffer in the destructor, as mandated by the libavformat documentation. Fixes http://bugs.musicpd.org/view.php?id=4446

decoder/ffmpeg: fix crash due to wrong avio_alloc_context() call
1958f78c · Max Kellermann · a7ee64a2 · 1958f78c · 1958f78c
Commit 1958f78c authored Oct 26, 2015 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 4 deletions

NEWS NEWS +2 -0

FfmpegDecoderPlugin.cxx src/decoder/plugins/FfmpegDecoderPlugin.cxx +13 -4

No files found.
--- a/NEWS
+++ b/NEWS
 ver 0.19.11 (not yet released)
 * tags
  - ape: fix buffer overflow
+* decoder
+  - ffmpeg: fix crash due to wrong avio_alloc_context() call
 * encoder
  - flac: fix crash with 32 bit playback


--- a/src/decoder/plugins/FfmpegDecoderPlugin.cxx
+++ b/src/decoder/plugins/FfmpegDecoderPlugin.cxx
@@ -92,14 +92,14 @@ struct AvioStream {

 	AVIOContext *io;

-	unsigned char buffer[8192];
-
 	AvioStream(Decoder *_decoder, InputStream &_input)
 		:decoder(_decoder), input(_input), io(nullptr) {}

 	~AvioStream() {
-		if (io != nullptr)
+		if (io != nullptr) {
+			av_free(io->buffer);
 			av_free(io);
+		}
 	}

 	bool Open();
@@ -153,11 +153,20 @@ mpd_ffmpeg_stream_seek(void *opaque, int64_t pos, int whence)
 bool
 AvioStream::Open()
 {
-	io = avio_alloc_context(buffer, sizeof(buffer),
+	constexpr size_t BUFFER_SIZE = 8192;
+	auto buffer = (unsigned char *)av_malloc(BUFFER_SIZE);
+	if (buffer == nullptr)
+		return false;
+
+	io = avio_alloc_context(buffer, BUFFER_SIZE,
 				false, this,
 				mpd_ffmpeg_stream_read, nullptr,
 				input.IsSeekable()
 				? mpd_ffmpeg_stream_seek : nullptr);
+	/* If avio_alloc_context() fails, who frees the buffer?  The
+	   libavformat API documentation does not specify this, it
+	   only says that AVIOContext.buffer must be freed in the end,
+	   however no AVIOContext exists in that failure code path. */
 	return io != nullptr;
 }