| Message ID | 20200607193545.30384-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | a5313ce6542a4ee4112acd260e59bff698f3dddd |
| Headers | show |
| Series | [FFmpeg-devel,1/3] avformat/4xm: Cleanup on GET_LIST_HEADER() failure | expand |
| Context | Check | Description |
|---|---|---|
| andriy/default | pending | |
| andriy/make | success | Make finished |
| andriy/make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: memleak > Fixes: 23142/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5932860820422656 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/4xm.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/libavformat/4xm.c b/libavformat/4xm.c > index aea9226984..5f0504b13e 100644 > --- a/libavformat/4xm.c > +++ b/libavformat/4xm.c > @@ -59,8 +59,10 @@ > #define GET_LIST_HEADER() \ > fourcc_tag = avio_rl32(pb); \ > size = avio_rl32(pb); \ > - if (fourcc_tag != LIST_TAG) \ > - return AVERROR_INVALIDDATA; \ > + if (fourcc_tag != LIST_TAG) { \ > + ret = AVERROR_INVALIDDATA; \ > + goto fail; \ > + } \ > fourcc_tag = avio_rl32(pb); > > typedef struct AudioTrack { > @@ -210,7 +212,7 @@ static int fourxm_read_header(AVFormatContext *s) > unsigned int size; > int header_size; > FourxmDemuxContext *fourxm = s->priv_data; > - unsigned char *header; > + unsigned char *header = NULL; > int i, ret; > > fourxm->track_count = 0; > LGTM. (Alternatively, one could av_freep header immediately after the loop before the second occurrence of GET_LIST_HEADER.) - Andreas
On Sun, Jun 07, 2020 at 10:21:56PM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: memleak > > Fixes: 23142/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5932860820422656 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/4xm.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/libavformat/4xm.c b/libavformat/4xm.c > > index aea9226984..5f0504b13e 100644 > > --- a/libavformat/4xm.c > > +++ b/libavformat/4xm.c > > @@ -59,8 +59,10 @@ > > #define GET_LIST_HEADER() \ > > fourcc_tag = avio_rl32(pb); \ > > size = avio_rl32(pb); \ > > - if (fourcc_tag != LIST_TAG) \ > > - return AVERROR_INVALIDDATA; \ > > + if (fourcc_tag != LIST_TAG) { \ > > + ret = AVERROR_INVALIDDATA; \ > > + goto fail; \ > > + } \ > > fourcc_tag = avio_rl32(pb); > > > > typedef struct AudioTrack { > > @@ -210,7 +212,7 @@ static int fourxm_read_header(AVFormatContext *s) > > unsigned int size; > > int header_size; > > FourxmDemuxContext *fourxm = s->priv_data; > > - unsigned char *header; > > + unsigned char *header = NULL; > > int i, ret; > > > > fourxm->track_count = 0; > > > LGTM. will apply thx > (Alternatively, one could av_freep header immediately after the loop > before the second occurrence of GET_LIST_HEADER.) [...]
diff --git a/libavformat/4xm.c b/libavformat/4xm.c index aea9226984..5f0504b13e 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -59,8 +59,10 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ size = avio_rl32(pb); \ - if (fourcc_tag != LIST_TAG) \ - return AVERROR_INVALIDDATA; \ + if (fourcc_tag != LIST_TAG) { \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ fourcc_tag = avio_rl32(pb); typedef struct AudioTrack { @@ -210,7 +212,7 @@ static int fourxm_read_header(AVFormatContext *s) unsigned int size; int header_size; FourxmDemuxContext *fourxm = s->priv_data; - unsigned char *header; + unsigned char *header = NULL; int i, ret; fourxm->track_count = 0;
Fixes: memleak Fixes: 23142/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5932860820422656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/4xm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)