diff mbox series

[FFmpeg-devel,09/20] avcodec/vorbisenc: Don't free uninitialized pointers

Message ID HE1PR0301MB2154C08A8894E90FE78B1A5C8F579@HE1PR0301MB2154.eurprd03.prod.outlook.com
State Accepted
Commit 44e0a31ac4330d5b64cd7cde05900046943a25b2
Headers show
Series [FFmpeg-devel,01/20] avcodec/wma: Remove nonsense volatile | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Andreas Rheinhardt May 7, 2021, 6:46 a.m. UTC 
The Vorbis encoder allocates several arrays destined to contain pointers
to separately allocated arrays; yet these arrays are allocated without
initializing them: They are only uninitialized until their final values
are stored in them; so if allocating one of the earlier subarrays fails,
all of the remaining pointers to subarrays are still uninitialized.
But their are used for freeing, resulting in crashes.

Fix this by zero-initializing the arrays with subarrays.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/vorbisenc.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c
index 1f7e9b3c91..dc54919f64 100644
--- a/libavcodec/vorbisenc.c
+++ b/libavcodec/vorbisenc.c
@@ -279,7 +279,7 @@  static int create_vorbis_context(vorbis_enc_context *venc,
     venc->log2_blocksize[0] = venc->log2_blocksize[1] = 11;
 
     venc->ncodebooks = FF_ARRAY_ELEMS(cvectors);
-    venc->codebooks  = av_malloc(sizeof(vorbis_enc_codebook) * venc->ncodebooks);
+    venc->codebooks  = av_mallocz(sizeof(vorbis_enc_codebook) * venc->ncodebooks);
     if (!venc->codebooks)
         return AVERROR(ENOMEM);
 
@@ -318,7 +318,7 @@  static int create_vorbis_context(vorbis_enc_context *venc,
     }
 
     venc->nfloors = 1;
-    venc->floors  = av_malloc(sizeof(vorbis_enc_floor) * venc->nfloors);
+    venc->floors  = av_mallocz(sizeof(vorbis_enc_floor) * venc->nfloors);
     if (!venc->floors)
         return AVERROR(ENOMEM);
 
@@ -335,7 +335,7 @@  static int create_vorbis_context(vorbis_enc_context *venc,
         fc->nclasses = FFMAX(fc->nclasses, fc->partition_to_class[i]);
     }
     fc->nclasses++;
-    fc->classes = av_malloc_array(fc->nclasses, sizeof(vorbis_enc_floor_class));
+    fc->classes = av_calloc(fc->nclasses, sizeof(vorbis_enc_floor_class));
     if (!fc->classes)
         return AVERROR(ENOMEM);
     for (i = 0; i < fc->nclasses; i++) {
@@ -375,7 +375,7 @@  static int create_vorbis_context(vorbis_enc_context *venc,
         return AVERROR_BUG;
 
     venc->nresidues = 1;
-    venc->residues  = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues);
+    venc->residues  = av_mallocz(sizeof(vorbis_enc_residue) * venc->nresidues);
     if (!venc->residues)
         return AVERROR(ENOMEM);
 
@@ -409,7 +409,7 @@  static int create_vorbis_context(vorbis_enc_context *venc,
         return ret;
 
     venc->nmappings = 1;
-    venc->mappings  = av_malloc(sizeof(vorbis_enc_mapping) * venc->nmappings);
+    venc->mappings  = av_mallocz(sizeof(vorbis_enc_mapping) * venc->nmappings);
     if (!venc->mappings)
         return AVERROR(ENOMEM);