avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free)
authorFranciszek Kalinowski <franek.kalinowski@isec.pl>
Tue, 19 May 2026 07:29:45 +0000 (09:29 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 13 Jun 2026 13:25:42 +0000 (15:25 +0200)
commitaa1d5f086a597a8fa168630df4865b96a9c4481a
treec5cc306662dc3ca445a90c6ba31b6bd120b7a45a
parent65d5f45f765900bf4eb1a898948fa3103e88f84f
avfilter/af_join: fix wrong loop bound in buffer dedup (use-after-free)

try_push_frame() decides whether an input buffer is already tracked by testing
`j == i` (the channel index) instead of `j == nb_buffers`. Once an earlier
channel shared a buffer, nb_buffers falls behind i and a genuinely new buffer is
never referenced, so it is freed while the output frame still points at it.

Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski.

(cherry picked from commit 461fb220538f13fb4f971af5d7321459a4c84754)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavfilter/af_join.c