summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2019-09-21 21:59:09 +0200
committerwm4 <wm4@nowhere>2019-09-21 21:59:09 +0200
commit5858e3cdbd6fbae3ed80366912dd5df0af4fa126 (patch)
tree164a82cede5b20d12f72af823600af3f8a6486c0
parentfc7decde738378b0ea5ecc1163c6b8d65a73672d (diff)
downloadmpv-5858e3cdbd6fbae3ed80366912dd5df0af4fa126.tar.bz2
mpv-5858e3cdbd6fbae3ed80366912dd5df0af4fa126.tar.xz
audio: fix use-after-free with fuzzed file
reinit_audio_filters_and_output() can fully shutdown the audio chain on failure. Specifically, it will deallocate mpctx->ao_chain. The value of that field was cached in ao_c. The code after the call did not account that the audio chain can be shutdown, and used the stale ao_c value. Fixes: #6808
-rw-r--r--player/audio.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/player/audio.c b/player/audio.c
index 881d74a904..22a87c91eb 100644
--- a/player/audio.c
+++ b/player/audio.c
@@ -813,6 +813,8 @@ void fill_audio_out_buffers(struct MPContext *mpctx)
// Probe the initial audio format.
mp_pin_out_request_data(ao_c->filter->f->pins[1]);
reinit_audio_filters_and_output(mpctx);
+ if (!mpctx->ao_chain)
+ return;
if (ao_c->filter->got_output_eof &&
mpctx->audio_status != STATUS_EOF)
{