[FFmpeg-cvslog] avplay: fix write on freed memory for rawvideo

[Luca Barbato]

ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Thu Jun 28 20:55:04 2012 +0200| [906f9dce85eeb8c7f29ed2a37ec737a64c0275c6] | committer: Luca Barbato

avplay: fix write on freed memory for rawvideo

Do not assume avpacket and the decoded frames are independent.

To be absolutely sure and not sprinkle av_free_packet around the code
the call had been placed before getting the frame and on the error path.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=906f9dce85eeb8c7f29ed2a37ec737a64c0275c6
---

 avplay.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/avplay.c b/avplay.c
index 71844c2..e050169 100644
--- a/avplay.c
+++ b/avplay.c
@@ -1597,6 +1597,7 @@ static int configure_video_filters(AVFilterGraph *graph, VideoState *is, const c
 
 static int video_thread(void *arg)
 {
+    AVPacket pkt = { 0 };
     VideoState *is = arg;
     AVFrame *frame = avcodec_alloc_frame();
     int64_t pts_int;
@@ -1617,7 +1618,6 @@ static int video_thread(void *arg)
 #endif
 
     for (;;) {
-        AVPacket pkt;
 #if CONFIG_AVFILTER
         AVFilterBufferRef *picref;
         AVRational tb;
@@ -1625,10 +1625,11 @@ static int video_thread(void *arg)
         while (is->paused && !is->videoq.abort_request)
             SDL_Delay(10);
 
+        av_free_packet(&pkt);
+
         ret = get_video_frame(is, frame, &pts_int, &pkt);
         if (ret < 0)
             goto the_end;
-        av_free_packet(&pkt);
 
         if (!ret)
             continue;
@@ -1708,6 +1709,7 @@ static int video_thread(void *arg)
     av_freep(&vfilters);
     avfilter_graph_free(&graph);
 #endif
+    av_free_packet(&pkt);
     av_free(frame);
     return 0;
 }