Opened 2 years ago
Closed 2 years ago
#9800 closed defect (invalid)
decklink_dec.cpp captured audio packets are already-freed memory
| Reported by: | liquidblueocean | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | avdevice |
| Version: | unspecified | Keywords: | decklink |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
This can be seen by simple code inspection.
While the code calls AddRef on the received videoFrame, it doesn't do it for the audioFrame. When it exits the callback made by the DeckLinkAPI, that memory will be freed. Thus the avpacket passed on points to freed memory. Looks like this bug has been there all the time :(
How to reproduce:
Any usage of a DeckLink device that captures audio.
Change History (3)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
ok, it's my mistake then. I looked at the code of avpacket_queue_put but didn't realize from the name that av_packet_make_refcounted makes a copy. This can be closed
comment:3 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
avpacket_queue_put() calls av_packet_make_refcounted() on the packet before putting it into the queue. Because the packet is not already refcounted, this will make a copy. So everything should be fine. But I don't have a decklink device at all, so I can't test this and am therefore not closing it. Have you actually experienced a use-after-free yourself in the scenario you describe?
(The handling of video avoids copying the data, instead adding references.)