From patchwork Fri Dec  6 19:22:14 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andriy Gelman <andriy.gelman@gmail.com>
X-Patchwork-Id: 16644
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 93DB3449936
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Fri,  6 Dec 2019 21:22:32 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 73A8568B1E9;
	Fri,  6 Dec 2019 21:22:32 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-ot1-f65.google.com (mail-ot1-f65.google.com
	[209.85.210.65])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6147768AF42
	for <ffmpeg-devel@ffmpeg.org>; Fri,  6 Dec 2019 21:22:26 +0200 (EET)
Received: by mail-ot1-f65.google.com with SMTP id d17so6804012otc.0
	for <ffmpeg-devel@ffmpeg.org>; Fri, 06 Dec 2019 11:22:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=zt6rf1rDDTbyPndOc+bvHdYJNNTm2H1KPOjQbmL1Ddo=;
	b=WDKmaRI0VLTwmZ+c4FAR+eoIQZ/hwQOklSiM0iCRnjRqInPM+FL5xU9hQiB59mTKtR
	1Zk2WIiYOcVHXCXgxsjbtHy4R2FunZ8loSjooaC2lrHo2s2HIZB1WNBEWulFKrD6bb/Q
	1ptvxsyle1PAfh8pCMFrDzkYdjP/x8gLBMfFst9az53LCyLXOuNyt0DnGH6mFXTdSG8m
	RPsyBtVMzrP2rmf/9CFnuv0j/0ScTH4LTvBEwHJI4xea/lUM08sYChYyjdxLnVWATNwj
	QuCcqu1vmBEfO2mGQK4Facp7Ki+ol/3m+3Ix1+BqpW2qchffZXR2gg7eb27btfvh1M9K
	2d+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=zt6rf1rDDTbyPndOc+bvHdYJNNTm2H1KPOjQbmL1Ddo=;
	b=hDTzBVh97mhwIiFr1uG4wSxLrsWJV1nb8PKdVq0FoRLOONa+6JBDa0p4VtLsgGb/pQ
	UlRfh6zKP/EyRcMCV/RZ1PSj6LXM3RKrpXyZ/+YPrpDKFPi8ERvnZU8++Ckz48AdCN8M
	/WQnV7FCUBBJhze4b0BzXZqBIXMdAfa31dC54+ZsDZqSHa7eRRdzvhKGrRVlg4+h0nuo
	3ScjO6QahH+Cc/Llp1njM4e7wD/8Ji3F3QuTsKjGmVQn1K/NB1HnO854nm6InquKKqMm
	rzWrMAL5kRqUurEWgV3WL+RJ/YcwaL8e4BCFoUa4RNfsR53zuwLSXAAQyR4zaamdsAkU
	OMjg==
X-Gm-Message-State: APjAAAX0ICmtlMRVpMCZCT30QK7AY/W4ZWA1eLJxHpvpQQAIcdqKX4Uk
	o0YXBBisURQZ6KyRR2eid8xCjO7/
X-Google-Smtp-Source: 
 APXvYqzBjwF7fj+JCs5dfm2v5oRPAX7Eainbu0QreNqqxd8QLWVT6H2W01OeiyoIlJX8iBXytZLeXg==
X-Received: by 2002:a05:6830:1e5c:: with SMTP id
	e28mr3493535otj.293.1575660144563;
	Fri, 06 Dec 2019 11:22:24 -0800 (PST)
Received: from manj.guest.slb.com ([192.23.22.48])
	by smtp.gmail.com with ESMTPSA id
	j20sm759875otp.24.2019.12.06.11.22.23
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Fri, 06 Dec 2019 11:22:24 -0800 (PST)
From: Andriy Gelman <andriy.gelman@gmail.com>
X-Google-Original-From: Andriy Gelman
To: ffmpeg-devel@ffmpeg.org
Date: Fri,  6 Dec 2019 14:22:14 -0500
Message-Id: <20191206192214.30514-1-andriy.gelman@gmail.com>
X-Mailer: git-send-email 2.24.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v2] lavc/cbs_h2645_syntax_template: Fix
	memleak
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Andriy Gelman <andriy.gelman@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

From: Andriy Gelman <andriy.gelman@gmail.com>

payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().

Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.

This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.

Found-by: libFuzzer
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
---
 libavcodec/cbs_h264_syntax_template.c | 2 +-
 libavcodec/cbs_h265_syntax_template.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c
index 1671a15d330..878d348b948 100644
--- a/libavcodec/cbs_h264_syntax_template.c
+++ b/libavcodec/cbs_h264_syntax_template.c
@@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
         current->payload[k].payload_type = payload_type;
         current->payload[k].payload_size = payload_size;
 
+        current->payload_count++;
         CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k]));
 
         if (!cbs_h2645_read_more_rbsp_data(rw))
@@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
                "SEI message: found %d.\n", k);
         return AVERROR_INVALIDDATA;
     }
-    current->payload_count = k + 1;
 #else
     for (k = 0; k < current->payload_count; k++) {
         PutBitContext start_state;
diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c
index 54570929ec7..15114548c60 100644
--- a/libavcodec/cbs_h265_syntax_template.c
+++ b/libavcodec/cbs_h265_syntax_template.c
@@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
         current->payload[k].payload_type = payload_type;
         current->payload[k].payload_size = payload_size;
 
+        current->payload_count++;
         CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k], prefix));
 
         if (!cbs_h2645_read_more_rbsp_data(rw))
@@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
                "SEI message: found %d.\n", k);
         return AVERROR_INVALIDDATA;
     }
-    current->payload_count = k + 1;
 #else
     for (k = 0; k < current->payload_count; k++) {
         PutBitContext start_state;