diff options
author | Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> | 2016-09-29 14:32:15 +0100 |
---|---|---|
committer | Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> | 2016-09-29 15:13:07 +0100 |
commit | ce59031b10efcf025c820704d8b8b9f6d215a85c (patch) | |
tree | 9e71a24a75580603610d6316070123796a10edd4 | |
parent | 58bb21c463dfdb956e1a6811d345c556c9d95b17 (diff) |
fdkaacenc: fix accessing freed memory
The buffer data is not always copied in _Fill, and will be
read in _DecodeFrame. We unmap at the end of the function,
whether we get there via failure or early out, and keep a
ref to the buffer to ensure we can use it to unmap the
memory even after _finish_frame is called, as it unrefs
the buffer.
Note that there is an access beyond the allocated buffer,
which is only apparent when playing from souphttpsrc (ie,
not from filesrc). This appears to be a bug in the bit
reading code in libfdkaac AFAICT.
https://bugzilla.gnome.org/show_bug.cgi?id=772186
-rw-r--r-- | ext/fdkaac/gstfdkaacdec.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/ext/fdkaac/gstfdkaacdec.c b/ext/fdkaac/gstfdkaacdec.c index c903d27af2..c271837526 100644 --- a/ext/fdkaac/gstfdkaacdec.c +++ b/ext/fdkaac/gstfdkaacdec.c @@ -190,6 +190,7 @@ gst_fdkaacdec_handle_frame (GstAudioDecoder * dec, GstBuffer * inbuf) gboolean need_reorder; if (inbuf) { + gst_buffer_ref (inbuf); gst_buffer_map (inbuf, &imap, GST_MAP_READ); valid = size = imap.size; @@ -198,10 +199,8 @@ gst_fdkaacdec_handle_frame (GstAudioDecoder * dec, GstBuffer * inbuf) &valid)) != AAC_DEC_OK) { GST_AUDIO_DECODER_ERROR (self, 1, STREAM, DECODE, (NULL), ("filling error: %d", err), ret); - gst_buffer_unmap (inbuf, &imap); goto out; } - gst_buffer_unmap (inbuf, &imap); if (GST_BUFFER_IS_DISCONT (inbuf)) flags |= AACDEC_INTR; @@ -395,6 +394,11 @@ finish: out: + if (inbuf) { + gst_buffer_unmap (inbuf, &imap); + gst_buffer_unref (inbuf); + } + return ret; } |