fix: Resolve double-free crash in DVB split pipeline cleanup

Rahul-2k4 · Rahul-2k4 · commit 3ff02617b0b9 · 2026-01-16T16:02:59.000+05:30
- Remove redundant free() after free_subtitle() in pipeline cleanup
  (free_subtitle already frees the struct via freep(&amp;sub))
- Add ctx-&gt;prev = NULL after free_encoder_context in dinit_encoder
- Keep free_encoder_context non-recursive for prev (dinit_encoder owns it)
- Remove debug output from general_loop.c
diff --git a/src/lib_ccx/ccx_decoders_common.c b/src/lib_ccx/ccx_decoders_common.c
@@ -736,6 +736,9 @@ void free_encoder_context(struct encoder_ctx *ctx)
 	freep(&ctx->subline);
 	freep(&ctx->start_credits_text);
 	freep(&ctx->end_credits_text);
+	// NOTE: Do NOT recurse into ctx->prev here. Ownership of prev is managed by
+	// dinit_encoder() which explicitly calls free_encoder_context(ctx->prev).
+	// Recursing here causes double-free when dinit_encoder cleans up.
 	freep(&ctx->prev);
 	freep(&ctx->last_str);
 	freep(&ctx);
diff --git a/src/lib_ccx/ccx_encoders_common.c b/src/lib_ccx/ccx_encoders_common.c
@@ -723,6 +723,7 @@ void dinit_encoder(struct encoder_ctx **arg, LLONG current_fts)
 	dinit_teletext_outputs(ctx);
 
 	free_encoder_context(ctx->prev);
+	ctx->prev = NULL;  // Ensure it's nulled after freeing
 	freep(&ctx->last_str);
 	dinit_output_ctx(ctx);
 	freep(&ctx->subline);
diff --git a/src/lib_ccx/general_loop.c b/src/lib_ccx/general_loop.c
@@ -1407,26 +1407,12 @@ int process_non_multiprogram_general_loop(struct lib_ccx_ctx *ctx,
 						// Safety check: Skip if decoder was freed due to PAT change
 						if (pipe->decoder && pipe->dec_ctx->private_data)
 						{
-							// Unconditional Debug
-							mprint("DVB-DEBUG-TRACE: len=%lld ", dvb_ptr->len);
-							for (int d = 0; d < 8 && d < dvb_ptr->len; d++)
-								mprint("%02X ", dvb_ptr->buffer[d]);
-							mprint("\n");
-
 							int offset = 2;
 							// Auto-detect offset based on sync byte 0x0F
 							if (dvb_ptr->len > 2 && dvb_ptr->buffer[2] == 0x0f)
 								offset = 2;
 							else if (dvb_ptr->len > 0 && dvb_ptr->buffer[0] == 0x0f)
 								offset = 0;
-							else
-							{
-								// Debug: Dump first 16 bytes to see what we have
-								mprint("DVB-DEBUG-FAIL: len=%lld ", dvb_ptr->len);
-								for (int d = 0; d < 16 && d < dvb_ptr->len; d++)
-									mprint("%02X ", dvb_ptr->buffer[d]);
-								mprint("\n");
-							}
 							
 							dvbsub_decode(pipe->encoder, pipe->dec_ctx, dvb_ptr->buffer + offset, dvb_ptr->len - offset, &pipe->dec_ctx->dec_sub);
 						}
diff --git a/src/lib_ccx/lib_ccx.c b/src/lib_ccx/lib_ccx.c
@@ -362,6 +362,13 @@ void dinit_libraries(struct lib_ccx_ctx **ctx)
 				freep(&p->dec_ctx->prev->private_data);
 				free(p->dec_ctx->prev);
 			}
+			// Free dec_sub.prev which was allocated in init_cc_decode or general_loop
+			// Note: free_subtitle already frees the struct via freep(&sub), so we don't call free() again
+			if (p->dec_ctx->dec_sub.prev)
+			{
+				free_subtitle(p->dec_ctx->dec_sub.prev);
+				p->dec_ctx->dec_sub.prev = NULL;
+			}
 			p->dec_ctx->private_data = NULL;
 			free(p->dec_ctx);
 		}

Original file line number	Diff line number	Diff line change
`@@ -362,6 +362,13 @@ void dinit_libraries(struct lib_ccx_ctx **ctx)`
`362`	`362`	`freep(&p->dec_ctx->prev->private_data);`
`363`	`363`	`free(p->dec_ctx->prev);`
`364`	`364`	`}`
	`365`	`+ // Free dec_sub.prev which was allocated in init_cc_decode or general_loop`
	`366`	`+ // Note: free_subtitle already frees the struct via freep(&sub), so we don't call free() again`
	`367`	`+ if (p->dec_ctx->dec_sub.prev)`
	`368`	`+ {`
	`369`	`+ free_subtitle(p->dec_ctx->dec_sub.prev);`
	`370`	`+ p->dec_ctx->dec_sub.prev = NULL;`
	`371`	`+ }`
`365`	`372`	`p->dec_ctx->private_data = NULL;`
`366`	`373`	`free(p->dec_ctx);`
`367`	`374`	`}`