From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001

From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Date: Sun, 24 Sep 2023 13:15:48 +0200

Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error

​

After having created the AVBuffer that is put into frame->buf[0],

ownership of several objects (namely an AVDRMFrameDescriptor,

an MppFrame and some AVBufferRefs framecontextref and decoder_ref)

has passed to the AVBuffer and therefore to the frame.

Yet it has nevertheless been freed manually on error

afterwards, which would lead to a double-free as soon

as the AVFrame is unreferenced.

​

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

---

 libavcodec/rkmppdec.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

​

--- a/libavcodec/rkmppdec.c

+++ b/libavcodec/rkmppdec.c

@@ -460,8 +460,8 @@

             frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);

             if (!frame->hw_frames_ctx) {

-                ret = AVERROR(ENOMEM);

-                goto fail;

+                av_frame_unref(frame);

+                return AVERROR(ENOMEM);

             }

             return 0;

​