p_picture structure in DecodeVideo() used after free

poc attached.
crash info:
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xae9dab40 (LWP 19357)]
0xb7fdccb0 in ?? ()
(gdb) bt
[#0](https://code.videolan.org/videolan/vlc/-/issues/0)  0xb7fdccb0 in ?? ()
[#1](https://code.videolan.org/videolan/vlc/-/issues/1)  0xb7e1a33a in malloc_printerr (action=<optimized out>, str=0xb7f0cf00 "munmap_chunk(): invalid pointer", 
    ptr=0xab173780) at malloc.c:4996
[#2](https://code.videolan.org/videolan/vlc/-/issues/2)  0xb7e1a408 in munmap_chunk (p=<optimized out>) at malloc.c:2816
[#3](https://code.videolan.org/videolan/vlc/-/issues/3)  0xb7ca9542 in PictureDestroy (p_picture=0xb223c2a0) at misc/picture.c:104
[#4](https://code.videolan.org/videolan/vlc/-/issues/4)  0xb7cab5ad in picture_Release (p_picture=0xb223c2a0) at misc/picture.c:292
[#5](https://code.videolan.org/videolan/vlc/-/issues/5)  0xabc10af0 in Clean (p_filter=0xb2202ed0) at video_chroma/swscale.c:486
[#6](https://code.videolan.org/videolan/vlc/-/issues/6)  CloseScaler (p_this=0xb2202ed0) at video_chroma/swscale.c:225
[#7](https://code.videolan.org/videolan/vlc/-/issues/7)  0xb7cb14c0 in generic_stop (func=0xabc109f0 <CloseScaler>, 
    ap=0xae9da0fc "\020x?Pb\t\b8\331\004\b\355A? \017÷") at modules/modules.c:359
[#8](https://code.videolan.org/videolan/vlc/-/issues/8)  0xb7cb4112 in vlc_module_unload (module=module@entry=0x80961d8, deinit=deinit@entry=0xb7cb1480 <generic_stop>)
    at modules/modules.c:340
[#9](https://code.videolan.org/videolan/vlc/-/issues/9)  0xb7cb425f in module_unneed (obj=obj@entry=0xb2202ed0, module=0x80961d8) at modules/modules.c:373
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0xb7d042ec in filter_chain_DeleteFilterInternal (p_chain=p_chain@entry=0xb2205868, p_filter=0xb2202ed0)
    at misc/filter_chain.c:521
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0xb7d0502f in filter_chain_Reset (p_chain=p_chain@entry=0xb2205868, p_fmt_in=p_fmt_in@entry=0x0, 
    p_fmt_out=p_fmt_out@entry=0x0) at misc/filter_chain.c:158
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0xb7d0520c in filter_chain_Delete (p_chain=0xb2205868) at misc/filter_chain.c:144
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0xb7c3830c in VoutDisplayDestroyRender (vd=0xab1ace68) at video_output/display.c:504
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) vout_DeleteDisplay (vd=0xab1ace68, state=state@entry=0x0) at video_output/display.c:1405
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0xb7c69dd7 in vout_CloseWrapper (vout=vout@entry=0xb221f108, state=state@entry=0x0)
    at video_output/vout_wrapper.c:99
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0xb7c4166c in ThreadStop (vout=vout@entry=0xb221f108, state=state@entry=0x0) at video_output/video_output.c:1397
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0xb7c46b15 in ThreadReinit (cfg=<optimized out>, cfg=<optimized out>, vout=<optimized out>)
    at video_output/video_output.c:1439
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) ThreadControl (cmd=..., vout=<optimized out>) at video_output/video_output.c:1495
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) Thread (object=0xb221f108) at video_output/video_output.c:1589
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0xb7f61f70 in start_thread (arg=0xae9dab40) at pthread_create.c:312
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0xb7e92bee in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
Edited Jan 23, 2016 by Rémi Denis-Courmont
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information