aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndriy Gelman <andriy.gelman@gmail.com>2019-12-06 14:22:14 -0500
committerJames Almer <jamrial@gmail.com>2019-12-31 16:57:37 -0300
commit662accb728639131638cd5be5f227b25a4559211 (patch)
tree97b15eb068857d7cc79ad0f84b338e7644893633
parent4667920455c0d52c25835ff81098254213f2d018 (diff)
downloadffmpeg-662accb728639131638cd5be5f227b25a4559211.tar.gz
lavc/cbs_h2645_syntax_template: Fix memleak
payload_count is used to track the number of SEI payloads. It is also used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei(). Currently, payload_count is set after for loop is completed. Hence if there is an error and the function exits, the payload remains zero causing a memleak. This commit keeps track of payload_count inside the for loop to fix the issue. Note that that the contents of current are initialized with av_mallocz() so there is no need to zero initialize payload_count. Found-by: libFuzzer Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com> (cherry picked from commit c07a77247363eb666a49536af505e7317225ee81)
-rw-r--r--libavcodec/cbs_h264_syntax_template.c2
-rw-r--r--libavcodec/cbs_h265_syntax_template.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c
index 1671a15d33..878d348b94 100644
--- a/libavcodec/cbs_h264_syntax_template.c
+++ b/libavcodec/cbs_h264_syntax_template.c
@@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
current->payload[k].payload_type = payload_type;
current->payload[k].payload_size = payload_size;
+ current->payload_count++;
CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k]));
if (!cbs_h2645_read_more_rbsp_data(rw))
@@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
"SEI message: found %d.\n", k);
return AVERROR_INVALIDDATA;
}
- current->payload_count = k + 1;
#else
for (k = 0; k < current->payload_count; k++) {
PutBitContext start_state;
diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c
index 54570929ec..15114548c6 100644
--- a/libavcodec/cbs_h265_syntax_template.c
+++ b/libavcodec/cbs_h265_syntax_template.c
@@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
current->payload[k].payload_type = payload_type;
current->payload[k].payload_size = payload_size;
+ current->payload_count++;
CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k], prefix));
if (!cbs_h2645_read_more_rbsp_data(rw))
@@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw,
"SEI message: found %d.\n", k);
return AVERROR_INVALIDDATA;
}
- current->payload_count = k + 1;
#else
for (k = 0; k < current->payload_count; k++) {
PutBitContext start_state;