avfilter/qsvvpp: Fix double-free of AVFrame on error

An AVFilterPad's filter_frame callback in general and ff_filter_frame() in particular take ownership of the provided frame and are responsible for freeing it on error. Therefore it is wrong for ff_qsvvpp_filter_frame() to free the frame itself on error again, as all filter_frame callbacks in use are derived from ff_filter_frame(). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
mkver · Aug 15, 2021 · 0a6e37a · 0a6e37a
1 parent a492a9d
commit 0a6e37a
Showing 1 changed file with 4 additions and 8 deletions.
diff --git a/libavfilter/qsvvpp.c b/libavfilter/qsvvpp.c
@@ -805,13 +805,11 @@ int ff_qsvvpp_filter_frame(QSVVPPContext *s, AVFilterLink *inlink, AVFrame *picr
             av_log(ctx, AV_LOG_WARNING, "Sync failed.\n");
 
         filter_ret = s->filter_frame(outlink, tmp->frame);
-        if (filter_ret < 0) {
-            av_frame_free(&tmp->frame);
+        tmp->frame = NULL;
+        if (filter_ret < 0)
             return filter_ret;
-        }
         tmp->queued--;
         s->got_frame = 1;
-        tmp->frame = NULL;
     };
 
     if (!picref)
@@ -861,14 +859,12 @@ int ff_qsvvpp_filter_frame(QSVVPPContext *s, AVFilterLink *inlink, AVFrame *picr
             } while (ret == MFX_WRN_IN_EXECUTION);
 
             filter_ret = s->filter_frame(outlink, tmp->frame);
-            if (filter_ret < 0) {
-                av_frame_free(&tmp->frame);
+            tmp->frame = NULL;
+            if (filter_ret < 0)
                 return filter_ret;
-            }
 
             tmp->queued--;
             s->got_frame = 1;
-            tmp->frame = NULL;
         }
     } while(ret == MFX_ERR_MORE_SURFACE);