From 985f34b75653d02eda8eb8def3412f8577f19b01 Mon Sep 17 00:00:00 2001
From: Janne Grunau <janne-libav@jannau.net>
Date: Sat, 15 Jun 2013 22:11:55 +0300
Subject: [PATCH] utils: fix avcodec_flush_buffers pre-reference counting
 compatibility
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The to_free AVframe must be freed just like the other ones.
Indeed, the calling application may expect all frames to be
released.

(This regression caused use-after-free in VLC with hwaccel.)

Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/utils.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index accb6b3a945..3dddafca106 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1804,6 +1804,9 @@ void avcodec_flush_buffers(AVCodecContext *avctx)
         ff_thread_flush(avctx);
     else if (avctx->codec->flush)
         avctx->codec->flush(avctx);
+
+    if (!avctx->refcounted_frames)
+        av_frame_unref(&avctx->internal->to_free);
 }
 
 int av_get_exact_bits_per_sample(enum AVCodecID codec_id)
-- 
GitLab