[FFmpeg-cvslog] avcodec/rkmppdec: Fix double-free on error

Mon Aug 4 23:56:38 EEST 2025

ffmpeg | branch: release/7.0 | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Sun Sep 24 13:15:48 2023 +0200| [26737680d3f3f5b27cd0c0a7049d8330a2746172] | committer: Michael Niedermayer

avcodec/rkmppdec: Fix double-free on error

After having created the AVBuffer that is put into frame->buf[0],
ownership of several objects (namely an AVDRMFrameDescriptor,
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
has passed to the AVBuffer and therefore to the frame.
Yet it has nevertheless been freed manually on error
afterwards, which would lead to a double-free as soon
as the AVFrame is unreferenced.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
(cherry picked from commit 4513300989502090c4fd6560544dce399a8cd53c)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26737680d3f3f5b27cd0c0a7049d8330a2746172
---

 libavcodec/rkmppdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
index 53b6f6d5e8..6e5ba3484e 100644
--- a/libavcodec/rkmppdec.c
+++ b/libavcodec/rkmppdec.c
@@ -462,8 +462,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
 
             frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
             if (!frame->hw_frames_ctx) {
-                ret = AVERROR(ENOMEM);
-                goto fail;
+                av_frame_unref(frame);
+                return AVERROR(ENOMEM);
             }
 
             return 0;

