summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2020-03-14 13:36:27 +0100
committerwm4 <wm4@nowhere>2020-03-14 13:50:04 +0100
commit9d04e76f3f0e460aed44ac3bfb25e36068b1c832 (patch)
treed8bc78a92c92fe716fc9aab534c669a6fc7c7b09
parentcd22e93feed9e84ebe36e98ac59cc744df07b64a (diff)
downloadmpv-9d04e76f3f0e460aed44ac3bfb25e36068b1c832.tar.bz2
mpv-9d04e76f3f0e460aed44ac3bfb25e36068b1c832.tar.xz
ao_pcm: fix double free on exit
This seems to be an older bug. It set priv->outputfilename to a new talloc-allocated string, but the field is also managed as string option, so talloc will free it first, then m_option_free() is called on the dangling pointer. Possibly this is caused by the earlier ta destruction order change.
-rw-r--r--audio/out/ao_pcm.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/audio/out/ao_pcm.c b/audio/out/ao_pcm.c
index 689d5c019a..5de213f07d 100644
--- a/audio/out/ao_pcm.c
+++ b/audio/out/ao_pcm.c
@@ -111,9 +111,11 @@ static int init(struct ao *ao)
{
struct priv *priv = ao->priv;
- if (!priv->outputfilename)
- priv->outputfilename =
- talloc_strdup(priv, priv->waveheader ? "audiodump.wav" : "audiodump.pcm");
+ char *outputfilename = priv->outputfilename;
+ if (!outputfilename) {
+ outputfilename = talloc_strdup(priv, priv->waveheader ? "audiodump.wav"
+ : "audiodump.pcm");
+ }
ao->format = af_fmt_from_planar(ao->format);
@@ -148,13 +150,13 @@ static int init(struct ao *ao)
ao->bps = ao->channels.num * ao->samplerate * af_fmt_to_bytes(ao->format);
MP_INFO(ao, "File: %s (%s)\nPCM: Samplerate: %d Hz Channels: %d Format: %s\n",
- priv->outputfilename,
+ outputfilename,
priv->waveheader ? "WAVE" : "RAW PCM", ao->samplerate,
ao->channels.num, af_fmt_to_str(ao->format));
- priv->fp = fopen(priv->outputfilename, priv->append ? "ab" : "wb");
+ priv->fp = fopen(outputfilename, priv->append ? "ab" : "wb");
if (!priv->fp) {
- MP_ERR(ao, "Failed to open %s for writing!\n", priv->outputfilename);
+ MP_ERR(ao, "Failed to open %s for writing!\n", outputfilename);
return -1;
}
if (priv->waveheader) // Reserve space for wave header