ogg: fix double free when finding length of small chained oggs.

ogg_save() copies streams[], but doesn't keep track of free()'ed
struct members. Thus, if in between a call to ogg_save() and
ogg_restore(), streams[].private was free()'ed, this would result
in a double free -> crash, which happened when e.g. playing small
chained ogg fragments.

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index f1ad630..998a33b 100644 (file)
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -238,7 +238,8 @@ static int ogg_read_page(AVFormatContext *s, int *str)
 
             for (n = 0; n < ogg->nstreams; n++) {
                 av_freep(&ogg->streams[n].buf);
-                av_freep(&ogg->streams[n].private);
+                if (!ogg->state || ogg->state->streams[n].private != ogg->streams[n].private)
+                    av_freep(&ogg->streams[n].private);
             }
             ogg->curidx   = -1;
             ogg->nstreams = 0;