virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
Code Issues Releases Activity

lavf/mxfdec: Fix memleaks reading corrupt files.

Browse Source 
Fixes ticket #4173.

Reviewed-by: Tomas Härdin
This commit is contained in:
Carl Eugen Hoyos 2014-12-15 01:33:13 +01:00
parent 27bdfd29f1
commit 4373a25d94
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libavformat/mxfdec.c
View File

@ -863,8 +863,11 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
!(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
!(segment->stream_offset_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->stream_offset_entries)))) !(segment->stream_offset_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->stream_offset_entries)))) {
av_freep(&segment->temporal_offset_entries);
av_freep(&segment->flag_entries);
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
}
for (i = 0; i < segment->nb_index_entries; i++) { for (i = 0; i < segment->nb_index_entries; i++) {
segment->temporal_offset_entries[i] = avio_r8(pb); segment->temporal_offset_entries[i] = avio_r8(pb);
@ -2168,16 +2171,20 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
} }
} }
} }
if (ctx_size && tag == 0x3C0A) if (ctx_size && tag == 0x3C0A) {
avio_read(pb, ctx->uid, 16); avio_read(pb, ctx->uid, 16);
else if ((ret = read_child(ctx, pb, tag, size, uid, -1)) < 0) } else if ((ret = read_child(ctx, pb, tag, size, uid, -1)) < 0) {
mxf_free_metadataset(&ctx);
return ret; return ret;
}
/* Accept the 64k local set limit being exceeded (Avid). Don't accept /* Accept the 64k local set limit being exceeded (Avid). Don't accept
* it extending past the end of the KLV though (zzuf5.mxf). */ * it extending past the end of the KLV though (zzuf5.mxf). */
if (avio_tell(pb) > klv_end) { if (avio_tell(pb) > klv_end) {
if (ctx_size) if (ctx_size) {
av_free(ctx); ctx->type = type;
mxf_free_metadataset(&ctx);
}
av_log(mxf->fc, AV_LOG_ERROR, av_log(mxf->fc, AV_LOG_ERROR,
"local tag %#04x extends past end of local set @ %#"PRIx64"\n", "local tag %#04x extends past end of local set @ %#"PRIx64"\n",
@ -2565,7 +2572,8 @@ static int mxf_read_header(AVFormatContext *s)
/* FIXME avoid seek */ /* FIXME avoid seek */
if (!essence_offset) { if (!essence_offset) {
av_log(s, AV_LOG_ERROR, "no essence\n"); av_log(s, AV_LOG_ERROR, "no essence\n");
return AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
goto fail;
} }
avio_seek(s->pb, essence_offset, SEEK_SET); avio_seek(s->pb, essence_offset, SEEK_SET);