From patchwork Sat Apr 3 14:22:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 26723 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id BD88B44BA19 for ; Sat, 3 Apr 2021 17:22:52 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A7C4068A78B; Sat, 3 Apr 2021 17:22:52 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR06-VI1-obe.outbound.protection.outlook.com (mail-vi1eur06olkn2040.outbound.protection.outlook.com [40.92.17.40]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7166168A609 for ; Sat, 3 Apr 2021 17:22:46 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UiQFLT7sxFBc76R7dJb1M8ar4BGHp4BgU9JVuWLyl0DP04wTDeROBHrteauMPjl/UTLQD/u40c8VatkytYIo8Ex67oTuYOgjHZq4KwyixeeBcaOJ+lMMjCXvptKShaAgLdeqJ4IQT6EvMzNp3sYsl7QRlh2C2yhgrSdvL/299qOwKD0M9qaeKxsa38spbnUvc4fc6jsedGaC+rnwK6gucm9qbJ5GD2kjawo9F0j5gBD8kAUD8ZqOAjgYHJfijblJ9fpdgj8FzdIZ5ttNkkxJF4grxlOOMqLTMYksBVon6AgAHVdEFQcfEMdUnv2vQx5JEfJ0Tpr5jm0pjf/+b/0bZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/ZAB5nliO8mSeD83HkhrZzOfYNd6Euhjs6WAafOHy1Y=; b=kXSz3M7pVs3lkvN/5EBgFJwNzbHWMzOKgGtO3d/eSSuTH3rSJ4N2folE1M2FKy/sMczNglytjcwxEBWTa6C5P2QDUpaC6isiMkD157vM3qE9dEEORGoP4rcbmgwIYMKE7g3ZeTArhesvpe3NgM0potIS/deGuYO43jT8hlvAexlJxzQ+Ysbu4TlA8rEH3WONagiRYhUNHv+pjaYCr/FIuhdLVr9/6FtKblCQyXlBGHMQybGXAfeB/6/S24b+HDkuyHeWvuzzXvHISOWHPanhsbwgyDMX+UrMfib8N26FJ/3n0s6YVww9oD5iZ+bJcruBJzO9Ty8sfbc4nS4qiOYigw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/ZAB5nliO8mSeD83HkhrZzOfYNd6Euhjs6WAafOHy1Y=; b=foRGuAnG/69ZBSiJfddbGjf2HRLqsZvLdmwFZXzabMo+nUvBu9VjwIsaw8/4XTyG1Rh/MqHsfgBDoHnLybIeA3GlLSgPuA9nMeUtoNb4+NufANX31NkS16dGzc79+mVyOrVFgL0SXT96gw4udrcHIenM/P/EaaGDbQHAm+/D6OMrUle3vkY+a7k8KkJTHWjgqKrruU17M6lTjhhzSw4ziRND+HZpAYnJt4R+/TDalAXXc3pa9MAhnMAf2niOW7rRZ4djkhidgSPyzyZ5jBQei1aUCiB0IadRt+qFU1loHG6PK98y4EgCgPg50ojcMN9SQ1LAnR+ckaZoqnmV1h+6yw== Received: from DB8EUR06FT044.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc35::48) by DB8EUR06HT029.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc35::299) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.28; Sat, 3 Apr 2021 14:22:45 +0000 Received: from HE1PR0301MB2154.eurprd03.prod.outlook.com (2a01:111:e400:fc35::4d) by DB8EUR06FT044.mail.protection.outlook.com (2a01:111:e400:fc35::280) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.28 via Frontend Transport; Sat, 3 Apr 2021 14:22:45 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:3917E52DD353D4E8831CABAC2CF23F4426A30402B6533867CAF789FA4139570C; UpperCasedChecksum:BAE67F16EB81F1D5FEEC1B13D7F3DECC3CAA4CDDC72A76768AA43AE54848BE22; SizeAsReceived:7599; Count:48 Received: from HE1PR0301MB2154.eurprd03.prod.outlook.com ([fe80::8128:5de5:4e94:9a21]) by HE1PR0301MB2154.eurprd03.prod.outlook.com ([fe80::8128:5de5:4e94:9a21%3]) with mapi id 15.20.3999.032; Sat, 3 Apr 2021 14:22:45 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sat, 3 Apr 2021 16:22:27 +0200 Message-ID: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: X-TMN: [+UAV5i09V1dAKkLykj2Dsxk0as1qgZMs] X-ClientProxiedBy: AM0PR07CA0023.eurprd07.prod.outlook.com (2603:10a6:208:ac::36) To HE1PR0301MB2154.eurprd03.prod.outlook.com (2603:10a6:3:2a::22) X-Microsoft-Original-Message-ID: <20210403142227.3388037-2-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.192.137.96) by AM0PR07CA0023.eurprd07.prod.outlook.com (2603:10a6:208:ac::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.8 via Frontend Transport; Sat, 3 Apr 2021 14:22:44 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 48 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: bd03f954-6a6a-4416-01e4-08d8f6abf327 X-MS-Exchange-SLBlob-MailProps: S/btQ8cKWiQPaLYvx5HwmzXq2KsiysPmsbMStgQJB1XIiSum+VBstvD28WfRmh4ffVfV/G6OSEzAjKu2kUXIr9EQZWWcvKiq408uIefrZYhe9avzqfmLExi9q1AtxGcXgz7j7GvvT/Q3QcYpmAxpXs8wkZlSPJMXoXI2qjE959QgWlcKKhyV3Bj0WFPIL3TGox6A0NneHxcePMghjFuKqBl75RH8Rf+WHxojBD18NPQfWbfZb6V2dXqMnYq+O+hR0sbTVa+zo7AsIkIFpLR579/+eDkDTEQGkTlNphX796cqapATndgzO79KPXNhb2Vr68AMS41gP4RYNk39RrHOrUNy1wjb+o7TilwhO9uRiPx1dXYrL2WYQlOc0BSTQzqljgM7Pxcd9DkcOOS8HFz1zVjiRJkeiW/UUfCROHDnabBLZd9uyhZIooZWlL88swG/K4FgeeQuiAdthElBLkgDdEJZ3T9B7EQlDJ10VuGzbYNkn8hRX18Wol/Wz8eNXNgRLVxMeX+sCAwa3M4yuMGv6gcuT6Ej96ibcwi7TWcjZ8EkS3YCSo42WrWqOyaRN1VqiZ4BZE1lVvNTlCG7FHbh+qjWKxKd5m8Ax5KKOen1G5qaGR1IU8P2sCQB9KDPOtHj0hIqN56nJazwW16c0vSwKXLGi+l6322quBC9ia/R+LLFvNK60OB1hpipSFeVf7pueQ/2VKpDFkKTOhjACpb8FgSXxjbRjvqwEHi9tPjFA2orbORw7tcZ0oC1vNhdrtAAxv+f/o7GfPk= X-MS-TrafficTypeDiagnostic: DB8EUR06HT029: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bYWef7/jbaJseMEmWaJONfI1aD7GKZTh8W0tbcE9UZT3OxjAXrRZvqCbFLij4z11S5QgQtcsEpn7pHCrtuZ6NfS26UqDtvaWi69L2e2My2I875pEsAMg5bykz3E6KKreJTtFWHyjRIBqonmMAkHdqO0jHatxyCG8E8oTHjG/f5idi4ml1d6p9mpXh2UXCdXjXkZVFj+iIMSpmHG8ODl5h0dSUdaXrmYK8aVMIQQPRsHIENZu/t8S/thXJr4YguYAiCOumKtbdNOx1VlslTLF0nuwzVomehEkLGgV8JqgDbuyn92ROnUmEIoh7PBUNxcq4lkoh6zqdybXIbycZI6M+mGgU0kmlclINWD1JaAonFkBgcZef8j01aQw3Ub/X3D+1sWsf1pyi+qN2UAR1/diUltXV6QEYR0WrLq6EZNJm6AMQNMhxEe+ala44JUMG/Dz X-MS-Exchange-AntiSpam-MessageData: lPc0iY8SWvT3X/BbeY3/MnxBhvE/zaya6Txs5firDCFB5lF+0jUtfXw/j5ru18ONoOlncTxpYmg21yAvfcdKG25ks4R2hNEnQYrkNw/1L9zDfHPh53mCSdJNvNHYCbc9Jm8aTicOnM6EvD/hy4uVgw== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: bd03f954-6a6a-4416-01e4-08d8f6abf327 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2021 14:22:45.3974 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: DB8EUR06FT044.eop-eur06.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8EUR06HT029 Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/mjpegdec: Fix leak in case ICC array allocations partially fail X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" If only one of the two arrays used for the ICC profile could be successfully allocated, it might be overwritten and leak when the next ICC entry is encountered. Fix this by using a common struct, so that one has only one array to allocate. Signed-off-by: Andreas Rheinhardt --- See https://github.com/drewnoakes/metadata-extractor/issues/65 for a sample. libavcodec/mjpegdec.c | 28 +++++++++++++--------------- libavcodec/mjpegdec.h | 8 ++++++-- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d0c933b52e..f3d9e99aab 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2088,28 +2088,26 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) /* Allocate if this is the first APP2 we've seen. */ if (s->iccnum == 0) { - s->iccdata = av_mallocz(nummarkers * sizeof(*(s->iccdata))); - s->iccdatalens = av_mallocz(nummarkers * sizeof(*(s->iccdatalens))); - if (!s->iccdata || !s->iccdatalens) { + if (!FF_ALLOCZ_TYPED_ARRAY(s->iccentries, nummarkers)) { av_log(s->avctx, AV_LOG_ERROR, "Could not allocate ICC data arrays\n"); return AVERROR(ENOMEM); } s->iccnum = nummarkers; } - if (s->iccdata[seqno - 1]) { + if (s->iccentries[seqno - 1].data) { av_log(s->avctx, AV_LOG_WARNING, "Duplicate ICC sequence number\n"); goto out; } - s->iccdatalens[seqno - 1] = len; - s->iccdata[seqno - 1] = av_malloc(len); - if (!s->iccdata[seqno - 1]) { + s->iccentries[seqno - 1].length = len; + s->iccentries[seqno - 1].data = av_malloc(len); + if (!s->iccentries[seqno - 1].data) { av_log(s->avctx, AV_LOG_ERROR, "Could not allocate ICC data buffer\n"); return AVERROR(ENOMEM); } - memcpy(s->iccdata[seqno - 1], align_get_bits(&s->gb), len); + memcpy(s->iccentries[seqno - 1].data, align_get_bits(&s->gb), len); skip_bits(&s->gb, len << 3); len = 0; s->iccread++; @@ -2318,11 +2316,11 @@ static void reset_icc_profile(MJpegDecodeContext *s) { int i; - if (s->iccdata) + if (s->iccentries) { for (i = 0; i < s->iccnum; i++) - av_freep(&s->iccdata[i]); - av_freep(&s->iccdata); - av_freep(&s->iccdatalens); + av_freep(&s->iccentries[i].data); + av_freep(&s->iccentries); + } s->iccread = 0; s->iccnum = 0; @@ -2838,7 +2836,7 @@ the_end: /* Sum size of all parts. */ for (i = 0; i < s->iccnum; i++) - total_size += s->iccdatalens[i]; + total_size += s->iccentries[i].length; sd = av_frame_new_side_data(frame, AV_FRAME_DATA_ICC_PROFILE, total_size); if (!sd) { @@ -2848,8 +2846,8 @@ the_end: /* Reassemble the parts, which are now in-order. */ for (i = 0; i < s->iccnum; i++) { - memcpy(sd->data + offset, s->iccdata[i], s->iccdatalens[i]); - offset += s->iccdatalens[i]; + memcpy(sd->data + offset, s->iccentries[i].data, s->iccentries[i].length); + offset += s->iccentries[i].length; } } diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index 732aeab994..0d69d9101b 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -44,6 +44,11 @@ #define MAX_COMPONENTS 4 +typedef struct ICCEntry { + uint8_t *data; + int length; +} ICCEntry; + typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; @@ -138,8 +143,7 @@ typedef struct MJpegDecodeContext { const AVPixFmtDescriptor *pix_desc; - uint8_t **iccdata; - int *iccdatalens; + ICCEntry *iccentries; int iccnum; int iccread;