virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-10-30 23:18:11 +02:00
Code Issues Releases Activity

avformat/icodec: Free ico->images on error paths

Browse Source 
Fixes: 15116/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5715173567889408
Fixes: memleak

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2019-06-08 10:48:41 +02:00
parent 112eb17a2b
commit 54918b5116
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libavformat/icodec.c
View File

@@ -96,8 +96,10 @@ static int read_header(AVFormatContext *s)
break; break;
st = avformat_new_stream(s, NULL); st = avformat_new_stream(s, NULL);
if (!st) if (!st) {
av_freep(&ico->images);
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
}
st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
st->codecpar->width = avio_r8(pb); st->codecpar->width = avio_r8(pb);
@@ -111,6 +113,7 @@ static int read_header(AVFormatContext *s)
ico->images[i].size = avio_rl32(pb); ico->images[i].size = avio_rl32(pb);
if (ico->images[i].size <= 0) { if (ico->images[i].size <= 0) {
av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size);
av_freep(&ico->images);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
ico->images[i].offset = avio_rl32(pb); ico->images[i].offset = avio_rl32(pb);
@@ -126,8 +129,10 @@ static int read_header(AVFormatContext *s)
st->codecpar->height = 0; st->codecpar->height = 0;
break; break;
case 40: case 40:
if (ico->images[i].size < 40) if (ico->images[i].size < 40) {
av_freep(&ico->images);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
}
st->codecpar->codec_id = AV_CODEC_ID_BMP; st->codecpar->codec_id = AV_CODEC_ID_BMP;
tmp = avio_rl32(pb); tmp = avio_rl32(pb);
if (tmp) if (tmp)
@@ -138,6 +143,7 @@ static int read_header(AVFormatContext *s)
break; break;
default: default:
avpriv_request_sample(s, "codec %d", codec); avpriv_request_sample(s, "codec %d", codec);
av_freep(&ico->images);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
} }