diff mbox series

[FFmpeg-devel,3/3] avformat/mxfdec: Fix memleak upon repeating tags

Message ID 20200720061545.18854-3-andreas.rheinhardt@gmail.com
State Accepted
Commit 28ce651c6d53866c1b8c3b49b8b66a2e967aa273
Headers show
Series [FFmpeg-devel,1/3] avformat/mxfdec: Fix memleak when adding element to array fails
Related show

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Andreas Rheinhardt July 20, 2020, 6:15 a.m. UTC
When parsing MXF encountering some tags leads to allocations. And when
these tags were encountered repeatedly, this could lead to memleaks,
because the pointer to the old data got simply overwritten with a
pointer to the new data (or to NULL on allocation failure). This has
been fixed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/mxfdec.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Tomas Härdin July 22, 2020, 12:34 p.m. UTC | #1
mån 2020-07-20 klockan 08:15 +0200 skrev Andreas Rheinhardt:
> When parsing MXF encountering some tags leads to allocations. And when
> these tags were encountered repeatedly, this could lead to memleaks,
> because the pointer to the old data got simply overwritten with a
> pointer to the new data (or to NULL on allocation failure). This has
> been fixed.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
> ---
>  libavformat/mxfdec.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 3016885e75..f0975f409e 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -850,6 +850,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i
>  static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
>  {
>      *count = avio_rb32(pb);
> +    av_free(*refs);
>      *refs = av_calloc(*count, sizeof(UID));
>      if (!*refs) {
>          *count = 0;
> @@ -903,10 +904,8 @@ static int mxf_read_content_storage(void *arg, AVIOContext *pb, int tag, int siz
>      case 0x1901:
>          if (mxf->packages_refs)
>              av_log(mxf->fc, AV_LOG_VERBOSE, "Multiple packages_refs\n");
> -        av_free(mxf->packages_refs);
>          return mxf_read_strong_ref_array(pb, &mxf->packages_refs, &mxf->packages_count);
>      case 0x1902:
> -        av_free(mxf->essence_container_data_refs);

Good catch. Looks OK

/Tomas
diff mbox series

Patch

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 3016885e75..f0975f409e 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -850,6 +850,7 @@  static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i
 static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
 {
     *count = avio_rb32(pb);
+    av_free(*refs);
     *refs = av_calloc(*count, sizeof(UID));
     if (!*refs) {
         *count = 0;
@@ -903,10 +904,8 @@  static int mxf_read_content_storage(void *arg, AVIOContext *pb, int tag, int siz
     case 0x1901:
         if (mxf->packages_refs)
             av_log(mxf->fc, AV_LOG_VERBOSE, "Multiple packages_refs\n");
-        av_free(mxf->packages_refs);
         return mxf_read_strong_ref_array(pb, &mxf->packages_refs, &mxf->packages_count);
     case 0x1902:
-        av_free(mxf->essence_container_data_refs);
         return mxf_read_strong_ref_array(pb, &mxf->essence_container_data_refs, &mxf->essence_container_data_count);
     }
     return 0;