audio: fix use-after-free with fuzzed file

reinit_audio_filters_and_output() can fully shutdown the audio chain on failure. Specifically, it will deallocate mpctx->ao_chain. The value of that field was cached in ao_c. The code after the call did not account that the audio chain can be shutdown, and used the stale ao_c value. Fixes: #6808
mpv-player · Sep 21, 2019 · 5858e3c · 5858e3c
1 parent fc7decd
commit 5858e3c
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/player/audio.c b/player/audio.c
@@ -813,6 +813,8 @@ void fill_audio_out_buffers(struct MPContext *mpctx)
         // Probe the initial audio format.
         mp_pin_out_request_data(ao_c->filter->f->pins[1]);
         reinit_audio_filters_and_output(mpctx);
+        if (!mpctx->ao_chain)
+            return;
         if (ao_c->filter->got_output_eof &&
             mpctx->audio_status != STATUS_EOF)
         {