diff mbox series

[FFmpeg-devel,25/26] avformat/mov: Fix memleak upon encountering repeating tags

Message ID 20200614223656.21338-25-andreas.rheinhardt@gmail.com
State Accepted
Commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d
Headers show
Series [FFmpeg-devel,01/26] avformat/matroskadec: Move AVBufferRef instead of copying, fix memleak
Related show

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Andreas Rheinhardt June 14, 2020, 10:36 p.m. UTC
mov_read_custom tries to read three strings belonging to three different
tags. When an already encountered tag is encountered again, a new buffer
for the string to be read is allocated and stored in the pointer
destined for this particular tag. But in this scenario, said pointer
already holds the address of the string read earlier, leading to a leak.

This commit aborts therefore aborts the reading process upon
encountering an already encountered tag.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
I don't know if one should error out in this scenario or not; or one
could continue (i.e. use the already existing tag) or free the old one
and use the new one. But this loop is only executed three times and all
three tags need to be present for them to be of any use, so simply using
continue in the scenario here would not be useful.

 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 47bbb3697d..a59c804d16 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4434,6 +4434,9 @@  static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         } else
             break;
 
+        if (*p)
+            break;
+
         *p = av_malloc(len + 1);
         if (!*p) {
             ret = AVERROR(ENOMEM);