payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().
Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.
This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.
Found-by: libFuzzer
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
(cherry picked from commit c07a77247363eb666a49536af505e7317225ee81)
... | ... |
@@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, |
954 | 954 |
current->payload[k].payload_type = payload_type; |
955 | 955 |
current->payload[k].payload_size = payload_size; |
956 | 956 |
|
957 |
+ current->payload_count++; |
|
957 | 958 |
CHECK(FUNC(sei_payload)(ctx, rw, ¤t->payload[k])); |
958 | 959 |
|
959 | 960 |
if (!cbs_h2645_read_more_rbsp_data(rw)) |
... | ... |
@@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, |
964 | 964 |
"SEI message: found %d.\n", k); |
965 | 965 |
return AVERROR_INVALIDDATA; |
966 | 966 |
} |
967 |
- current->payload_count = k + 1; |
|
968 | 967 |
#else |
969 | 968 |
for (k = 0; k < current->payload_count; k++) { |
970 | 969 |
PutBitContext start_state; |
... | ... |
@@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, |
2184 | 2184 |
current->payload[k].payload_type = payload_type; |
2185 | 2185 |
current->payload[k].payload_size = payload_size; |
2186 | 2186 |
|
2187 |
+ current->payload_count++; |
|
2187 | 2188 |
CHECK(FUNC(sei_payload)(ctx, rw, ¤t->payload[k], prefix)); |
2188 | 2189 |
|
2189 | 2190 |
if (!cbs_h2645_read_more_rbsp_data(rw)) |
... | ... |
@@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, |
2194 | 2194 |
"SEI message: found %d.\n", k); |
2195 | 2195 |
return AVERROR_INVALIDDATA; |
2196 | 2196 |
} |
2197 |
- current->payload_count = k + 1; |
|
2198 | 2197 |
#else |
2199 | 2198 |
for (k = 0; k < current->payload_count; k++) { |
2200 | 2199 |
PutBitContext start_state; |