1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00

lavc/cbs_h2645_syntax_template: Fix memleak

payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().

Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.

This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.

Found-by: libFuzzer
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
This commit is contained in:
Andriy Gelman 2019-12-06 14:22:14 -05:00 committed by James Almer
parent ed9279afbd
commit c07a772473
2 changed files with 2 additions and 2 deletions

View File

@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
current->payload[k].payload_type = payload_type; current->payload[k].payload_type = payload_type;
current->payload[k].payload_size = payload_size; current->payload[k].payload_size = payload_size;
current->payload_count++;
CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k])); CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k]));
if (!cbs_h2645_read_more_rbsp_data(rw)) if (!cbs_h2645_read_more_rbsp_data(rw))
@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
"SEI message: found %d.\n", k); "SEI message: found %d.\n", k);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
current->payload_count = k + 1;
#else #else
for (k = 0; k < current->payload_count; k++) { for (k = 0; k < current->payload_count; k++) {
PutBitContext start_state; PutBitContext start_state;

View File

@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
current->payload[k].payload_type = payload_type; current->payload[k].payload_type = payload_type;
current->payload[k].payload_size = payload_size; current->payload[k].payload_size = payload_size;
current->payload_count++;
CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k], prefix)); CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k], prefix));
if (!cbs_h2645_read_more_rbsp_data(rw)) if (!cbs_h2645_read_more_rbsp_data(rw))
@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
"SEI message: found %d.\n", k); "SEI message: found %d.\n", k);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
current->payload_count = k + 1;
#else #else
for (k = 0; k < current->payload_count; k++) { for (k = 0; k < current->payload_count; k++) {
PutBitContext start_state; PutBitContext start_state;