From patchwork Wed Apr 24 18:50:21 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Almer <jamrial@gmail.com>
X-Patchwork-Id: 12892
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 6C0D2448901
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Wed, 24 Apr 2019 21:50:52 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4D34B689CFE;
	Wed, 24 Apr 2019 21:50:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-qk1-f195.google.com (mail-qk1-f195.google.com
	[209.85.222.195])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C88D96808BA
	for <ffmpeg-devel@ffmpeg.org>; Wed, 24 Apr 2019 21:50:45 +0300 (EEST)
Received: by mail-qk1-f195.google.com with SMTP id f125so6675719qke.6
	for <ffmpeg-devel@ffmpeg.org>; Wed, 24 Apr 2019 11:50:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=4H8gk8DUI/YaXssRK7iVQiqFjfXSdtbvk+zFvuivUkY=;
	b=BY5y/k2U1H3eHaJERLbnd52Y9d1AFZigvHh3EAIS+4ocKgjupAVMXThdTzkEJk5EWl
	02tbosrZQjf63Pt+GWaMFc+Fp9VQSsAuxhXKiRluJUvE0LaAkHicjVqtK4H1IAsy7iLT
	022oBpLQ3D+pOc2EoNk5QGWdembGB66T5QQ2MpvpPPK2M2VfCcfievDRdM6o/v1Jqv5G
	gLo56W3RSFnvOm936Zu4jNlGmlAeFn39tZMG7GyEuhu0iESyb950bAxlC/kMHik9VJmb
	cBqK8cIp8YNZLkk6zVPkN2nKraLzoCTsplQzQwfrjtCogODAZWZsVx4xthIiFHunSw1L
	f3gA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=4H8gk8DUI/YaXssRK7iVQiqFjfXSdtbvk+zFvuivUkY=;
	b=uPVyb8IMHJ4G2kfnAx+t83YUu/1X/cFD5BjyWGjxmdhq2PXigim3tSOjpXGtE8v/fF
	rGLgR71OOvWz17CxLIV5IM77+lyZPT6DDgkOwO3SEBID+bz/mu0IcA8QQ7bN5dpnW2x6
	csYedgdG32DDzs8V+nydEYmNxv04xdFEDPgpCX7qiMwMd/XMJtmVmYp5nXnXVBISCaDA
	IGO7zPjNJDvDkh53MIUSwIK5gIL5aK9bCzJjaFX5t+/WBFRjC6x9O/JrSxkgsQbY+ScW
	o/IWOgdJQRHYB69kZ3e3BHEqkTB4K9fCPod1uHklArzT6HN8Q0sYpwBYS/8c12QlZ2Eh
	tYQg==
X-Gm-Message-State: APjAAAXX3XZMIUpZ0aDURiVcW/YwUUdWlxn8sjPox47vtC4PjPHdEcIU
	eMQBTsRWjsFI+RWpJU6u04HzL+lm
X-Google-Smtp-Source: 
 APXvYqzjdC1Ly+GT/gEko7BJuIGBs+gteonSvJ4akkemo12OXtZ4aeHbvfq2efPh0aJt+dwpMx5wIQ==
X-Received: by 2002:a05:620a:146c:: with SMTP id
	j12mr16084040qkl.116.1556131844183;
	Wed, 24 Apr 2019 11:50:44 -0700 (PDT)
Received: from localhost.localdomain ([191.83.213.8])
	by smtp.gmail.com with ESMTPSA id
	w40sm3609902qth.35.2019.04.24.11.50.42
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 24 Apr 2019 11:50:43 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 24 Apr 2019 15:50:21 -0300
Message-Id: <20190424185021.2060-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avcodec/cbs_mpeg2: fix leak of
	extra_information_slice buffer in cbs_mpeg2_read_slice_header()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

cbs_mpeg2_free_slice() calls av_buffer_unref() on extra_information_ref,
meaning allocating with av_malloc() was not the intention.

Signed-off-by: James Almer <jamrial@gmail.com>
---
Couldn't find any mpeg2 sample containing these fields, so it's untested.
The leak is obvious regardless of that.

 libavcodec/cbs_mpeg2_syntax_template.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c
index 88cf453b17..672ff66141 100644
--- a/libavcodec/cbs_mpeg2_syntax_template.c
+++ b/libavcodec/cbs_mpeg2_syntax_template.c
@@ -361,10 +361,11 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw,
             current->extra_information_length = k;
             if (k > 0) {
                 *rw = start;
-                current->extra_information =
-                    av_malloc(current->extra_information_length);
-                if (!current->extra_information)
+                current->extra_information_ref =
+                    av_buffer_alloc(current->extra_information_length);
+                if (!current->extra_information_ref)
                     return AVERROR(ENOMEM);
+                current->extra_information = current->extra_information_ref->data;
                 for (k = 0; k < current->extra_information_length; k++) {
                     xui(1, extra_bit_slice, bit, 0);
                     xui(8, extra_information_slice[k],