From: wm4 <***@googlemail.com>

Some callers (like do_subtitle_out(), or do_streamcopy()) call this
with an AVPacket that is not refcounted. This can cause undefined
behavior.

Calling av_packet_move_ref() does not make a packet refcounted if it
isn't yet. (And it can't be made to, because it always succeeds,
and can't return ENOMEM.)

Call av_packet_ref() instead to make sure it's refcounted.
---
avtools/avconv.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/avtools/avconv.c b/avtools/avconv.c
index ac15464a8d..3abb7f872f 100644
--- a/avtools/avconv.c
+++ b/avtools/avconv.c
@@ -281,7 +281,7 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
int ret;

if (!of->header_written) {
- AVPacket tmp_pkt;
+ AVPacket tmp_pkt = {0};
/* the muxer is not initialized yet, buffer the packet */
if (!av_fifo_space(ost->muxing_queue)) {
int new_size = FFMIN(2 * av_fifo_size(ost->muxing_queue),
@@ -296,8 +296,11 @@ static void write_packet(OutputFile *of, AVPacket *pkt, OutputStream *ost)
if (ret < 0)
exit_program(1);
}
- av_packet_move_ref(&tmp_pkt, pkt);
+ ret = av_packet_ref(&tmp_pkt, pkt);
+ if (ret < 0)
+ exit_program(1);
av_fifo_generic_write(ost->muxing_queue, &tmp_pkt, sizeof(tmp_pkt), NULL);
+ av_packet_unref(pkt);
return;
}