From fff2bdc8b835158773a8360fc2d50a10ca0d38af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2019 20:35:30 +0200 Subject: [PATCH] avformat/takdec: Free buffer on error pathes Fixes: memleak Fixes: 15446/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5662875831500800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/takdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/takdec.c b/libavformat/takdec.c index ee96c27992..c51a020161 100644 --- a/libavformat/takdec.c +++ b/libavformat/takdec.c @@ -146,7 +146,7 @@ static int tak_read_header(AVFormatContext *s) ret = avpriv_tak_parse_streaminfo(&ti, buffer, size -3); if (ret < 0) - return AVERROR_INVALIDDATA; + goto end; if (ti.samples > 0) st->duration = ti.samples; st->codecpar->bits_per_coded_sample = ti.bps; @@ -160,8 +160,10 @@ static int tak_read_header(AVFormatContext *s) st->codecpar->extradata_size = size - 3; buffer = NULL; } else if (type == TAK_METADATA_LAST_FRAME) { - if (size != 11) - return AVERROR_INVALIDDATA; + if (size != 11) { + ret = AVERROR_INVALIDDATA; + goto end; + } init_get_bits8(&gb, buffer, size - 3); tc->mlast_frame = 1; tc->data_end = get_bits64(&gb, TAK_LAST_FRAME_POS_BITS) + @@ -176,6 +178,9 @@ static int tak_read_header(AVFormatContext *s) } return AVERROR_EOF; +end: + av_freep(&buffer); + return ret; } static int raw_read_packet(AVFormatContext *s, AVPacket *pkt)