1. ffmpeg
  2. Commit 662accb728639131638cd5be5f227b25a4559211
Browse code

lavc/cbs_h2645_syntax_template: Fix memleak

payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().

Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.

This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.

Found-by: libFuzzer
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
(cherry picked from commit c07a77247363eb666a49536af505e7317225ee81)

Andriy Gelman authored on 2019/12/07 04:22:14
Showing 2 changed files
libavcodec/cbs_h264_syntax_template.c
History View file @ 662accb
... ... 
@@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
954 954 
         current->payload[k].payload_type = payload_type;
955 955 
         current->payload[k].payload_size = payload_size;
956 956
957 
+        current->payload_count++;
957 958 
         CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k]));
958 959
959 960 
         if (!cbs_h2645_read_more_rbsp_data(rw))
... ... 
@@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
964 964 
                "SEI message: found %d.\n", k);
965 965 
         return AVERROR_INVALIDDATA;
966 966 
     }
967 
-    current->payload_count = k + 1;
968 967 
 #else
969 968 
     for (k = 0; k < current->payload_count; k++) {
970 969 
         PutBitContext start_state;
libavcodec/cbs_h265_syntax_template.c
History View file @ 662accb
... ... 
@@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
2184 2184 
         current->payload[k].payload_type = payload_type;
2185 2185 
         current->payload[k].payload_size = payload_size;
2186 2186
2187 
+        current->payload_count++;
2187 2188 
         CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k], prefix));
2188 2189
2189 2190 
         if (!cbs_h2645_read_more_rbsp_data(rw))
... ... 
@@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
2194 2194 
                "SEI message: found %d.\n", k);
2195 2195 
         return AVERROR_INVALIDDATA;
2196 2196 
     }
2197 
-    current->payload_count = k + 1;
2198 2197 
 #else
2199 2198 
     for (k = 0; k < current->payload_count; k++) {
2200 2199 
         PutBitContext start_state;