From patchwork Wed Apr 7 11:06:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 26793 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 09272449F9F for ; Wed, 7 Apr 2021 14:07:21 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D1FD768A329; Wed, 7 Apr 2021 14:07:20 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-oln040092075094.outbound.protection.outlook.com [40.92.75.94]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C83AB687FED for ; Wed, 7 Apr 2021 14:07:14 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AZ1KWki8iRdxxq++yb6OvNvJT/pjXZaJUVRxJm0STJv3y4m0UeKtpJA9srfb+H+ke03+nMstERSPUulkx0asVrUL+AGdLUQHPejxhEiPI4kpFX1okdjJFLtwqm6Fuu9hcWmaBlNi6JU7whpGJ6usoqQZmIjl6UW0OrtkXVrdJvM3LCnJGczwaGaEMo9/ePqTgipeyFUBkEREbDtGDKv5Q6t83PIA0sEsix91GbVED0ncF5DUErTkAtFw6ciWDakjJ5Z5sY0q6TXxQIKIQWBXGmgdFyZk6MFyQc76Io65tAXVD/+Q73tvMik9K7mn0z0aHn8SNPrgQbGcSeMxWTJDdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3j07CVWIR2V9l6KJpbsfvzyj4fiZGzt8T0Zretythv4=; b=TRItOpQkW1pt+kUky1ee7tXENnJpTqmGcljdFOWs5QIepaTEbbik0T6+sURJz6TeDc1CERvbuvDuE1GnOQq+lZVJKkDgupfPtk/v9wECymLJLD7vpQR9fp7KP533JWHF/Sldyc/azIbK2FhgffI2YgOIZrZRQLKfwHijV+cKPaBvLIBDUqNDBLo/80hwk0aVjhCwTqvS4dXt7FBI0X/XyS7BG/wmeH/S+j5U11wfyJoyojX6IG9wWoCD0pC/46yob4BJMBFotmgqhDze9HwdZNELSQfBO0YrfnXHH12Fot2FRXNmkZ+u8AK2RD7EMtDMwku7Xujb6XI2FdFYuEqDiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3j07CVWIR2V9l6KJpbsfvzyj4fiZGzt8T0Zretythv4=; b=a5ZrZkJvTTdChR7uhJPX8twItR8OVGfJdV0+4zudEvjVjzs9MlmmSM8MQ2Pz6lgk+03LiKQ8pFkow4YmxmUBcmWnQ8OJb8awO6cIE9/hO8OdJdnql3tgOZTBdp7ITPjSt17xGzhgnbpPEOVqpQy4b8GwrYgyiG3KF7878P8N214ETDJZ0yTD6ReXSTQBSd14Ujny7t9FpCjHo6vsawp06NEyBGLCCSpPV0iLCf67PE6rJPFq/Y7sxvOI8mh/FKDYLzHbtfJosNcvj4vSSLZr+SSWm7jHwAhLn0GV/ig5ovRa3zgesfwYCRe7q+BEuAbf0CAdKSEQ87X7JQeBBhI0FA== Received: from HE1EUR04FT012.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0d::4d) by HE1EUR04HT190.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0d::136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.28; Wed, 7 Apr 2021 11:07:13 +0000 Received: from HE1PR0301MB2154.eurprd03.prod.outlook.com (2a01:111:e400:7e0d::4a) by HE1EUR04FT012.mail.protection.outlook.com (2a01:111:e400:7e0d::92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17 via Frontend Transport; Wed, 7 Apr 2021 11:07:13 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:66DF94DDA1F582F5D1FD379DA15CC662A5F1B76A9BF1972014C5C9D224D9BD77; UpperCasedChecksum:FA630D81F0C5D100AF5B9365AD8D032B6467C09A866B30F37A49411066F3EA9D; SizeAsReceived:7389; Count:46 Received: from HE1PR0301MB2154.eurprd03.prod.outlook.com ([fe80::8128:5de5:4e94:9a21]) by HE1PR0301MB2154.eurprd03.prod.outlook.com ([fe80::8128:5de5:4e94:9a21%3]) with mapi id 15.20.3999.032; Wed, 7 Apr 2021 11:07:07 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Wed, 7 Apr 2021 13:06:57 +0200 Message-ID: X-Mailer: git-send-email 2.27.0 X-TMN: [ulEYY1eRWdLX+UOzgSLUB6EPNz6bHx/B] X-ClientProxiedBy: AM0PR04CA0125.eurprd04.prod.outlook.com (2603:10a6:208:55::30) To HE1PR0301MB2154.eurprd03.prod.outlook.com (2603:10a6:3:2a::22) X-Microsoft-Original-Message-ID: <20210407110658.18412-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.192.137.96) by AM0PR04CA0125.eurprd04.prod.outlook.com (2603:10a6:208:55::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17 via Frontend Transport; Wed, 7 Apr 2021 11:07:06 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 46 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: c30f9a18-5e21-4173-4650-08d8f9b54824 X-MS-Exchange-SLBlob-MailProps: S/btQ8cKWiQjNE6nzsV5f3jK2zxuFSctuJ+A5/8CmyYYIHSW2A1BLlQYAq1zmE9jRaIghO0EPtbNc9MNnc7Z+2ZnY8TEuyhpC8xfDcYq7eDSX5yDOUPQJGc+MpLqlGQppPbzZPPhGwz6K8B8ST9+rULH6kwMxy4PmkwNarNfvOtLhI+EmihP591nO0PQKtJynw+bvkC7TIOMqfxoVlS6I5Nni5Jtukil0ccEcRK6Si1UorFalH5tCy7M2+qvrD1K1okMOexSbnkY2EuFDdi430amGC3d2vd6pQKwnocanEE+NqndnTgUcLtfyM+pR1Edn0yB1oheWsacRiUGgL8bWUrsnpCiTl5gB0TN5Qe8s3NSuEjMeiK1iQqAe7fc1BiD9tZsf2oE4cees4SUCqPW/0OdXST62T271LUhYFCAgkBWdNLXWFAo/gLlRrcfN/e3voIzvH9oojl9oKZvaAPUh1EWto0j2jhcYVm0vH10Fn+RbA6CvmY8FtADqadvqv9HZ0t5Zkb2Kuw9aOSlj9omgssyfUfqWnaM93izy09VKKGmM/VnoI7jz/bg9rlCYhGLg3JjOx49HXUnBgw6651RU7PtkDzgrj61bDYr0ijMj47HwZcHHsii5+f88kai64RIRk2LxpwDTff1nbE9oLVhFVc43iHOFRZW2GmCg7EqsZdgNGQJE+pA9EHIUx32jmWi0r+oSCi1cnFlKDxER5q2/zgti3M6xq9voRtvUeePJfgxx40yBeaeCumZXFo5XCaGD2KWTTbJsrs= X-MS-TrafficTypeDiagnostic: HE1EUR04HT190: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: cTjYz3w8pplVv7e0C2O4PReEHQTdw8+ASkgw0bRTk/tJBO2kBdqGsMrK5jixCKIlqErsuTelhsYd0oU1/GCM/fQLRYoo3Hlhxrkhir7Ao3ME67zQxXl59vr6gKH/h0LDsmeoosb2497A1zaFrkUw0usLgNMIlqu4c+9QdYAYjFr52pmQSfNWlSNUKMD7EkoTsGNEGuSYhS5dYoUgIb+K/uv/aeyava+4edkUOWutgEXwqIMKDr4z1RxwY5yWw/CtnTqLNOfMliZ/h9pDBApi+IK/xYTSG9ziM1rZg0pfII/mgzKpiWe9yDHc5TVhrWmkdZv/bxh+qRQ92R+FK+PBdFJzCaCDtl0dFdDbZgyt0PHH2LdtJlKEUQDMcPfEx5GS92WDQDV7dMi99E/DkMHgnw== X-MS-Exchange-AntiSpam-MessageData: SG1Y76MLbziPgOBusj+JArsMF+/btNqBEMKJMg/DrHcOjPkDDf8Wm2t7Xxu1lxvINqBxOvKOtC6nk+Ge+lTMHTa3m5UkxIR2qugZeaZd3TsMJ5GzcG1Emrfiyv1GC+Js4uQCP71yk85+UcJTiheFRA== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c30f9a18-5e21-4173-4650-08d8f9b54824 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Apr 2021 11:07:07.1007 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: HE1EUR04FT012.eop-eur04.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR04HT190 Subject: [FFmpeg-devel] [PATCH] avformat/rmdec: Fix memleaks upon read_header failure X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" For both the RealMedia as well as the IVR demuxer (which share the same context) each AVStream's priv_data contains an AVPacket that might contain data (even when reading the header) and therefore needs to be unreferenced. Up until now, this has not always been done: The RealMedia demuxer didn't do it when allocating a new stream's priv_data failed although there might be other streams with packets to unreference. (The reason for this was that until recently rm_read_close() couldn't handle an AVStream without priv_data, so one had to choose between a potential crash and a memleak.) The IVR demuxer meanwhile never ever called read_close so that the data already contained in packets leaks upon error. This patch fixes both demuxers by adding the appropriate cleanup code. Signed-off-by: Andreas Rheinhardt --- libavformat/rmdec.c | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index b6f42183e8..1dec70e95b 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -614,8 +614,10 @@ static int rm_read_header(AVFormatContext *s) get_str8(pb, mime, sizeof(mime)); /* mimetype */ st->codecpar->codec_type = AVMEDIA_TYPE_DATA; st->priv_data = ff_rm_alloc_rmstream(); - if (!st->priv_data) - return AVERROR(ENOMEM); + if (!st->priv_data) { + ret = AVERROR(ENOMEM); + goto fail; + } size = avio_rb32(pb); codec_pos = avio_tell(pb); @@ -1249,20 +1251,19 @@ static int ivr_read_header(AVFormatContext *s) } for (n = 0; n < nb_streams; n++) { - st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); - st->priv_data = ff_rm_alloc_rmstream(); - if (!st->priv_data) - return AVERROR(ENOMEM); + if (!(st = avformat_new_stream(s, NULL)) || + !(st->priv_data = ff_rm_alloc_rmstream())) { + ret = AVERROR(ENOMEM); + goto fail; + } if (avio_r8(pb) != 1) - return AVERROR_INVALIDDATA; + goto invalid_data; count = avio_rb32(pb); for (i = 0; i < count; i++) { if (avio_feof(pb)) - return AVERROR_INVALIDDATA; + goto invalid_data; type = avio_r8(pb); tlen = avio_rb32(pb); @@ -1274,25 +1275,25 @@ static int ivr_read_header(AVFormatContext *s) } else if (type == 4 && !strncmp(key, "OpaqueData", tlen)) { ret = ffio_ensure_seekback(pb, 4); if (ret < 0) - return ret; + goto fail; if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) { ret = rm_read_multi(s, pb, st, NULL); } else { if (avio_feof(pb)) - return AVERROR_INVALIDDATA; + goto invalid_data; avio_seek(pb, -4, SEEK_CUR); ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, len, NULL); } if (ret < 0) - return ret; + goto fail; } else if (type == 4) { int j; av_log(s, AV_LOG_DEBUG, "%s = '0x", key); for (j = 0; j < len; j++) { if (avio_feof(pb)) - return AVERROR_INVALIDDATA; + goto invalid_data; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); } av_log(s, AV_LOG_DEBUG, "'\n"); @@ -1309,14 +1310,19 @@ static int ivr_read_header(AVFormatContext *s) } if (avio_r8(pb) != 6) - return AVERROR_INVALIDDATA; + goto invalid_data; avio_skip(pb, 12); avio_skip(pb, avio_rb64(pb) + pos - avio_tell(s->pb)); if (avio_r8(pb) != 8) - return AVERROR_INVALIDDATA; + goto invalid_data; avio_skip(pb, 8); return 0; +invalid_data: + ret = AVERROR_INVALIDDATA; +fail: + rm_read_close(s); + return ret; } static int ivr_read_packet(AVFormatContext *s, AVPacket *pkt)