From patchwork Wed Apr 25 00:58:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 8641 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:155:0:0:0:0:0 with SMTP id c82-v6csp131654jad; Tue, 24 Apr 2018 18:00:18 -0700 (PDT) X-Google-Smtp-Source: AIpwx49z2+POiy9+7KTQuukzmWbtRgIO8k030qLBwJ75gwGCmjsy1lHd8wM1hKScs5ud6CAyux4G X-Received: by 10.28.89.68 with SMTP id n65mr12604932wmb.96.1524618018240; Tue, 24 Apr 2018 18:00:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524618018; cv=none; d=google.com; s=arc-20160816; b=NZY2NBUIjfPEAPzzEKFpnOkXDN2fBE8200iE5EJ1/YPHESHVFhCsklC67+M5wOYVuC xkBoyjCf7Hmi4f3o7Wxxy3QBWXGscWu8tcvIH/Zae760LtMvSUX2K9YxitqB+HMZbpbh mYEvVaA+I1kEpF8NjubnEXKEXMICuDInMcIiowXaY0P4qz4CKOuf8U+9hGs9kVqHd5mc sc1TDTMEaau7PpbkYCLcosU258dyePkPrLtiaCKVhJL39w5Ceasmmu12R7vb7DZOPCW9 /OdP/fELnx/jplIgAbRcnp02ZOCqa28OS9LVeIRVqVu1tThfnDxLtKqMWXmYXBK01cQY w2zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to :arc-authentication-results; bh=eUN+GiYhWctpd61ehncaCB7dsn5q098RtNkeNp4WWu8=; b=yO9D+byqO/FqJtQPSPOdjtstGk3PKUFK65Uf8tnGUN8DIgBsN4zEmdifF9iznauy9s Zg43CjHnAAxF9Qp4Pgpdrjy6M2RNC0RjJhDfViJkGRbEa5QTtIB54dW9DryJVn//GACg HMuQ8Pbj5yc/F2Al1aknv3/xmUTSM/Gtwwy9mCmCxlUgPGpdjxiR3KiVFut9kQuczOzw /gC8Kv3nrh19TRbgH4sunRzCKB2cEAikvsH5ddtwYFVKFXOfuitULwjTO27PV41S8pxE rB1k2xUgQBpN/EM2cf2L6IlJ2h/qdzjzcZBNpqSp+N0nCjnsORHuEWRM01N73hIVc7yD p4Dw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 6si7535246wmc.52.2018.04.24.18.00.17; Tue, 24 Apr 2018 18:00:18 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8E3B5689B54; Wed, 25 Apr 2018 03:59:46 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-3.mx.upcmail.net (vie01a-dmta-pe06-3.mx.upcmail.net [84.116.36.16]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D344B689A2D for ; Wed, 25 Apr 2018 03:59:39 +0300 (EEST) Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fB8n2-0003Te-VH for ffmpeg-devel@ffmpeg.org; Wed, 25 Apr 2018 03:00:08 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id eQzy1x0100S5wYM01QzzQ6; Wed, 25 Apr 2018 02:59:59 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 25 Apr 2018 02:58:55 +0200 Message-Id: <20180425005855.15445-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.0 Subject: [FFmpeg-devel] [PATCH] avcodec/elsdec: Fix memleaks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/elsdec.c | 10 ++++++---- libavcodec/g2meet.c | 1 + 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c index 4797965457..8327662b4b 100644 --- a/libavcodec/elsdec.c +++ b/libavcodec/elsdec.c @@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size) void ff_els_decoder_uninit(ElsUnsignedRung *rung) { - av_free(rung->rem_rung_list); + av_freep(&rung->rem_rung_list); } static int els_import_byte(ElsDecCtx *ctx) @@ -389,16 +389,18 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur) else { if (!rung_node->next_index) { if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) { + void *ptr_tmp; // remember rung_node position ptrdiff_t pos = rung_node - ur->rem_rung_list; - ur->rem_rung_list = av_realloc(ur->rem_rung_list, + ptr_tmp = av_realloc(ur->rem_rung_list, ur->rung_list_size + RUNG_SPACE); - if (!ur->rem_rung_list) { - av_free(ur->rem_rung_list); + if (!ptr_tmp) { + av_freep(&ur->rem_rung_list); ctx->err = AVERROR(ENOMEM); return 0; } + ur->rem_rung_list = ptr_tmp; memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0, RUNG_SPACE); ur->rung_list_size += RUNG_SPACE; diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a46157218f..b409dae813 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -927,6 +927,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, if (c->ec.els_ctx.err != 0) { av_log(avctx, AV_LOG_ERROR, "ePIC: couldn't decode transparency pixel!\n"); + ff_els_decoder_uninit(&c->ec.unsigned_rung); return AVERROR_INVALIDDATA; }