From patchwork Tue Jul 25 02:51:27 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4451
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp4940257vsb;
	Mon, 24 Jul 2017 19:51:41 -0700 (PDT)
X-Received: by 10.28.92.207 with SMTP id q198mr6193578wmb.72.1500951100931;
	Mon, 24 Jul 2017 19:51:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1500951100; cv=none;
	d=google.com; s=arc-20160816;
	b=jZaxd0VYfy70yFhn++JKzL7XAgBfXsVhmqsUtz8tBotOLPs9dJWL0xUckdoZQmejpl
	0Y3PIDxtaVURB9qCrlHPZ5hzAYXwBlIHisykW4zi79x277ustr7zsy4A6D5WKk8wFeZS
	AIvy4b4kxqHO1osnXLq0vpEEB9DzOXZYMe7+WOoQBGBKrvgQWZXYmlhRNjAXbGOonDGf
	O5u10M4eQKXctiLsAUajmijUk+EskGDBjmp8IWVCisOBkRjldZIbXentrsjPodO7om+2
	MWbsmx8bZoY51wfaTsEsGFwxg3SiLgotpMLea3YdEEZ8cqOsN1VQGDGGNkpT6HCCc3jE
	O7uQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=/Ov43sU8dpuV2z44IJS8eir1+j0TaoKna/YvWSFOKL8=;
	b=ZzGd1DbLyjrZIWRhj3wAPCZ2edbKLD7AAAqNS3xRQbeT9rQGrU5V3TLhpQkVwEOrZV
	gGP1CYSgXs3zC5Lal0AhovvQC/oZIiRUn6ckLAtFZfLYbtBrTtx0J7uI7+eVdyd0aBnV
	cqF6f/xjgHJiBJWQaJthipMcqhdCIiK4WuH/2VRM99sGrqrxYTjAvKG9kVYBnECCMp+g
	nIAjFUs6PdUb4rZBHZ/GKa5gabTi6Fs1uC5dqx/58JRnkrwc1EVeSeP7YT11MnBAgPTz
	iow+y3mjcE0ucBdt8lXtuDjKjqg/h5OIyNDyyQubi/mJLFVZNrhvHUJUQtTMKbhAmq8j
	aBtw==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	z64si14448471wrb.48.2017.07.24.19.51.40;
	Mon, 24 Jul 2017 19:51:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2A91B689C20;
	Tue, 25 Jul 2017 05:51:38 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
	(vie01a-dmta-pe07-1.mx.upcmail.net [84.116.36.17])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 834CA689B29
	for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Jul 2017 05:51:31 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dZpwY-00089i-Uu
	for ffmpeg-devel@ffmpeg.org; Tue, 25 Jul 2017 04:51:30 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id oqrU1v00c0S5wYM01qrVJl; Tue, 25 Jul 2017 04:51:29 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 25 Jul 2017 04:51:27 +0200
Message-Id: <20170725025127.19293-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
Subject: [FFmpeg-devel] [PATCH] avformat/oggparsecelt: Do not re-allocate
	os->private
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856

Found-by: ClusterFuzz
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/oggparsecelt.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c
index 6d567f988a..9c438a096a 100644
--- a/libavformat/oggparsecelt.c
+++ b/libavformat/oggparsecelt.c
@@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx)
         st->codecpar->channels       = nb_channels;
         if (sample_rate)
             avpriv_set_pts_info(st, 64, 1, sample_rate);
-        priv->extra_headers_left  = 1 + extra_headers;
-        av_free(os->private);
+
+        if (os->private) {
+            av_free(priv);
+            priv = os->private;
+        }
         os->private = priv;
+        priv->extra_headers_left  = 1 + extra_headers;
+
         AV_WL32(st->codecpar->extradata + 0, overlap);
         AV_WL32(st->codecpar->extradata + 4, version);
         return 1;