From 5858e3cdbd6fbae3ed80366912dd5df0af4fa126 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Sat, 21 Sep 2019 21:59:09 +0200
Subject: audio: fix use-after-free with fuzzed file

reinit_audio_filters_and_output() can fully shutdown the audio chain on
failure. Specifically, it will deallocate mpctx->ao_chain. The value of
that field was cached in ao_c. The code after the call did not account
that the audio chain can be shutdown, and used the stale ao_c value.

Fixes: #6808
---
 player/audio.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'player/audio.c')

diff --git a/player/audio.c b/player/audio.c
index 881d74a904..22a87c91eb 100644
--- a/player/audio.c
+++ b/player/audio.c
@@ -813,6 +813,8 @@ void fill_audio_out_buffers(struct MPContext *mpctx)
         // Probe the initial audio format.
         mp_pin_out_request_data(ao_c->filter->f->pins[1]);
         reinit_audio_filters_and_output(mpctx);
+        if (!mpctx->ao_chain)
+            return;
         if (ao_c->filter->got_output_eof &&
             mpctx->audio_status != STATUS_EOF)
         {
-- 
cgit v1.2.3