diff options
| author | James Almer <jamrial@gmail.com> | 2025-08-01 17:08:14 -0300 |
|---|---|---|
| committer | James Almer <jamrial@gmail.com> | 2025-08-03 13:00:03 -0300 |
| commit | 89187a84d3e14590ae18e166e8ce76d41ca31c5e (patch) | |
| tree | cce931b6b8f8b0dab7612e22f9caf89f586f6b7d | |
| parent | 11a53339805950bf2d0b429cc598c5f6b83ae1c7 (diff) | |
| download | ffmpeg-89187a84d3e14590ae18e166e8ce76d41ca31c5e.tar.gz | |
avformat/mov: free streams earlier on error when parsing infe boxes
Fixes clusterfuzz-testcase-minimized-fuzzer_loadfile-5365661771825152.
Signed-off-by: James Almer <jamrial@gmail.com>
| -rw-r--r-- | libavformat/mov.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index e795a1c34d..92d6e2a2f5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5406,7 +5406,7 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item) return AVERROR(ENOMEM); sc = av_mallocz(sizeof(MOVStreamContext)); if (!sc) - return AVERROR(ENOMEM); + goto fail; item->st = st; st->id = item->item_id; @@ -5430,27 +5430,33 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item) sc->stsc_count = 1; sc->stsc_data = av_malloc_array(1, sizeof(*sc->stsc_data)); if (!sc->stsc_data) - return AVERROR(ENOMEM); + goto fail; sc->stsc_data[0].first = 1; sc->stsc_data[0].count = 1; sc->stsc_data[0].id = 1; sc->chunk_offsets = av_malloc_array(1, sizeof(*sc->chunk_offsets)); if (!sc->chunk_offsets) - return AVERROR(ENOMEM); + goto fail; sc->chunk_count = 1; sc->sample_sizes = av_malloc_array(1, sizeof(*sc->sample_sizes)); if (!sc->sample_sizes) - return AVERROR(ENOMEM); + goto fail; sc->sample_count = 1; sc->stts_data = av_malloc_array(1, sizeof(*sc->stts_data)); if (!sc->stts_data) - return AVERROR(ENOMEM); + goto fail; sc->stts_count = 1; sc->stts_data[0].count = 1; // Not used for still images. But needed by mov_build_index. sc->stts_data[0].duration = 0; return 0; +fail: + mov_free_stream_context(c->fc, st); + ff_remove_stream(c->fc, st); + item->st = NULL; + + return AVERROR(ENOMEM); } static int mov_read_meta(MOVContext *c, AVIOContext *pb, MOVAtom atom) @@ -9001,12 +9007,6 @@ fail: continue; av_freep(&item->name); - if (!item->st) - continue; - - mov_free_stream_context(c->fc, item->st); - ff_remove_stream(c->fc, item->st); - item->st = NULL; } return ret; } |