x/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-11 08:13:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free)

Browse Source 
try_push_frame() decides whether an input buffer is already tracked by testing
`j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier
channel shared a buffer, nb_buffers falls behind i and a genuinely new buffer is
never referenced, so it is freed while the output frame still points at it.

Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski.
This commit is contained in:
Franciszek Kalinowski
2026-05-25 22:21:41 +00:00
committed by michaelni
co-authored by michaelni
parent 387ad6d102
commit 461fb22053
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavfilter/af_join.c
+1 -1
View File
@@ -469,7 +469,7 @@ static int try_push_frame(AVFilterContext *ctx)
for (j = 0; j < nb_buffers; j++)
if (s->buffers[j]->buffer == buf->buffer)
break;
if (j == i)
if (j == nb_buffers)
s->buffers[nb_buffers++] = buf;
}