diff mbox

[FFmpeg-devel] avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()

Message ID 20161119161027.4792-1-jamrial@gmail.com
State Accepted
Commit aa498c3183236a93206b4a0e8225b9db0660b50d
Headers show

Commit Message

James Almer Nov. 19, 2016, 4:10 p.m. UTC 
If realloc fails, the pointer is overwritten and the previously allocated buffer
is leaked, which goes against the expected functionality of keeping the packet
unchanged in case of error.

Signed-off-by: James Almer <jamrial@gmail.com>
---
Should i backport this to affected branches?

 libavcodec/avpacket.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Michael Niedermayer Nov. 19, 2016, 10:30 p.m. UTC | #1 
On Sat, Nov 19, 2016 at 01:10:27PM -0300, James Almer wrote:
> If realloc fails, the pointer is overwritten and the previously allocated buffer
> is leaked, which goes against the expected functionality of keeping the packet
> unchanged in case of error.
> 
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
> Should i backport this to affected branches?
> 
>  libavcodec/avpacket.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

LGTM

thx

[...]
James Almer Nov. 19, 2016, 11:30 p.m. UTC | #2 
On 11/19/2016 7:30 PM, Michael Niedermayer wrote:
> On Sat, Nov 19, 2016 at 01:10:27PM -0300, James Almer wrote:
>> If realloc fails, the pointer is overwritten and the previously allocated buffer
>> is leaked, which goes against the expected functionality of keeping the packet
>> unchanged in case of error.
>>
>> Signed-off-by: James Almer <jamrial@gmail.com>
>> ---
>> Should i backport this to affected branches?
>>
>>  libavcodec/avpacket.c | 7 ++++---
>>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> LGTM
> 
> thx

Pushed and backported to releases 3.0, 3.1 and 3.2.

Thanks.
diff mbox

Patch

diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index c3f871c..e5a8bdb 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -295,16 +295,17 @@  FF_ENABLE_DEPRECATION_WARNINGS
 int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
                             uint8_t *data, size_t size)
 {
+    AVPacketSideData *tmp;
     int elems = pkt->side_data_elems;
 
     if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
         return AVERROR(ERANGE);
 
-    pkt->side_data = av_realloc(pkt->side_data,
-                                (elems + 1) * sizeof(*pkt->side_data));
-    if (!pkt->side_data)
+    tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
+    if (!tmp)
         return AVERROR(ENOMEM);
 
+    pkt->side_data = tmp;
     pkt->side_data[elems].data = data;
     pkt->side_data[elems].size = size;
     pkt->side_data[elems].type = type;