Opened 13 years ago

Closed 12 years ago

#3074 closed defect (fixed)

AvFormatDecoder and avformat double free crashes

Reported by: jwestfall Owned by: Janne Grunau
Priority: minor Milestone: 0.21
Component: mythtv Version: head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

Been getting this crash quite often. During tear down of AvFormatDecoder? there appears to be a double free of ic->pb.buffer;

AvFormatDecoder::CloseContext?() does a av_free(ic->pb.buffer) then calls av_close_input_file(ic), which will end up freeing pb.buffer again in url_fclose(&s->pb). The latter av_free will only trigger under the following condition

void av_close_input_file(AVFormatContext *s)
{
...
    must_open_file = 1;
    if (s->iformat->flags & AVFMT_NOFILE) {
        must_open_file = 0;
    }
    if (must_open_file) {
        url_fclose(&s->pb);
    }

Attachments (1)

gdb.txt (3.3 KB) - added by jwestfall 13 years ago.

Download all attachments as: .zip

Change History (5)

Changed 13 years ago by jwestfall

Attachment: gdb.txt added

comment:1 Changed 13 years ago by Janne Grunau

Milestone: unknown0.21
Owner: changed from Isaac Richards to Janne Grunau

comment:2 Changed 12 years ago by Janne Grunau

#5 0xb5fb534a in free () from /lib/tls/i686/cmov/libc.so.6 #6 0xb75379d8 in av_free (ptr=0x0) at mem.c:136

free should be NULL-pointer safe. current av_free has a null pointer check

comment:3 Changed 12 years ago by danielk

Janne, av_free has had a NULL pointer check for a very long time for those few libc's that aren't NULL pointer safe, and to support the memalign hack, which requires the NULL pointer check. (i.e. this wasn't any different then the bug report was made, the backtrace may be bad if compile time optimizations were enabled --release-type=profile, or if something is overwriting memory.)

comment:4 Changed 12 years ago by paulh

Resolution: fixed
Status: newclosed

Jim has confirmed to me that this is no longer a problem.

Note: See TracTickets for help on using tickets.