avformat/segment: Fix segfault when error happens and segment list is output

The segment muxer has an option to output a file containing a list of
the segments written. The AVIOContext used for writing this file is
opened via the main AVFormatContext's io_open callback; seg_free()
meanwhile unconditionally closes this AVIOContext by calling
ff_format_io_close() with the child muxer (the one for the actual output
format) as AVFormatContext.

The problem hereby is that the child AVFormatContext need not exist,
even when the AVIOContext does. This leads to a segfault in
ff_format_io_close() when the child muxer's io_close callback is called.

Situations in which the AVFormatContext can be NULL range from an
invalid reference stream parameter to an unavailable/bogus/unsupported
output format to inability to allocate the AVFormatContext.

The solution is to simply close the AVIOContext with the AVFormatContext
that was used to open it: The main AVFormatContext.

Reviewed-by: Ridley Combs <rcombs@rcombs.me>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

diff --git a/libavformat/segment.c b/libavformat/segment.c
index e84dc7a426f92f1b393914bf52e4a317f1fbd6e6..858ccf86975c2cdfb3708824f8c133480c5c8ee1 100644 (file)
--- a/libavformat/segment.c
+++ b/libavformat/segment.c
@@ -659,7 +659,7 @@ static int select_reference_stream(AVFormatContext *s)
 static void seg_free(AVFormatContext *s)
 {
     SegmentContext *seg = s->priv_data;
-    ff_format_io_close(seg->avf, &seg->list_pb);
+    ff_format_io_close(s, &seg->list_pb);
     avformat_free_context(seg->avf);
     seg->avf = NULL;
     av_freep(&seg->times);