From 4ccbfbccb988b585d5b16d311623cdd5d8232a0f Mon Sep 17 00:00:00 2001 From: Kieran Kunhya Date: Thu, 28 May 2026 20:34:54 +0800 Subject: [PATCH] upipe_ts_scte35_decoder: fix use-after-unmap in command handlers uref_ts_scte35_set_message reads from the scte35 pointer obtained via uref_block_read. Call it before uref_block_unmap in all three command handlers so the pointer is still valid when the data is copied. Co-Authored-By: Claude Sonnet 4.6 --- lib/upipe-ts/upipe_ts_scte35_decoder.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/upipe-ts/upipe_ts_scte35_decoder.c b/lib/upipe-ts/upipe_ts_scte35_decoder.c index 737870709..5a09132f7 100644 --- a/lib/upipe-ts/upipe_ts_scte35_decoder.c +++ b/lib/upipe-ts/upipe_ts_scte35_decoder.c @@ -196,8 +196,8 @@ static void upipe_ts_scte35d_insert_command(struct upipe *upipe, upipe_ts_scte35d_parse_descs(upipe, uref, scte35_get_descl(scte35), scte35_get_desclength(scte35)); - uref_block_unmap(uref, 0); uref_ts_scte35_set_message(uref, scte35, size); + uref_block_unmap(uref, 0); ubuf_free(uref_detach_ubuf(uref)); uref_ts_scte35_set_command_type(uref, SCTE35_INSERT_COMMAND); @@ -284,8 +284,8 @@ static void upipe_ts_scte35d_time_signal_command(struct upipe *upipe, if (descl) upipe_ts_scte35d_parse_descs(upipe, uref, descl, desc_length); - uref_block_unmap(uref, 0); uref_ts_scte35_set_message(uref, scte35, size); + uref_block_unmap(uref, 0); ubuf_free(uref_detach_ubuf(uref)); upipe_ts_scte35d_output(upipe, uref, upump_p); @@ -326,8 +326,8 @@ static void upipe_ts_scte35d_null_command(struct upipe *upipe, upipe_ts_scte35d_parse_descs(upipe, uref, scte35_get_descl(scte35), scte35_get_desclength(scte35)); - uref_block_unmap(uref, 0); uref_ts_scte35_set_message(uref, scte35, size); + uref_block_unmap(uref, 0); ubuf_free(uref_detach_ubuf(uref)); uref_ts_scte35_set_command_type(uref, SCTE35_NULL_COMMAND);