avformat/mpegts: Don't leave context in inconsistent state upon error

Up until now, opening a section filter works as follows: A filter is opened and (on success) attached to the MpegTSContext. Then a buffer for said filter is allocated and upon success attached to the section filter; on error, the filter is simply freed without removing it from the MpegTSContext, leaving the latter in an inconsistent state. This leads to use-after-frees lateron. This commit fixes this by allocating the buffer first; the filter is only opened if the buffer could be successfully allocated. Reviewed-by: Marton Balint <cus@passwd.hu> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2024-12-23 12:43:46 +02:00 · 2020-08-10 14:20:58 +02:00 · 2020-08-10 14:20:58 +02:00 · 1ead176d87
commit 1ead176d87
parent a5ac81952e
1 changed files with 8 additions and 6 deletions
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@ -510,20 +510,22 @@ static MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts,
 {
    MpegTSFilter *filter;
    MpegTSSectionFilter *sec;
+    uint8_t *section_buf = av_mallocz(MAX_SECTION_SIZE);

-    if (!(filter = mpegts_open_filter(ts, pid, MPEGTS_SECTION)))
+    if (!section_buf)
        return NULL;
+
+    if (!(filter = mpegts_open_filter(ts, pid, MPEGTS_SECTION))) {
+        av_free(section_buf);
+        return NULL;
+    }
    sec = &filter->u.section_filter;
    sec->section_cb  = section_cb;
    sec->opaque      = opaque;
-    sec->section_buf = av_mallocz(MAX_SECTION_SIZE);
+    sec->section_buf = section_buf;
    sec->check_crc   = check_crc;
    sec->last_ver    = -1;

-    if (!sec->section_buf) {
-        av_free(filter);
-        return NULL;
-    }
    return filter;
 }