RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/truemotion2: Cleanup in case of tm2_read_stream() failure 

Fixes memleaks
Fixes: 245dae71bc28fe8f3f454300277e575a/signal_sigabrt_7ffff6ae7cb7_5062_f7d9dfa385454806586076f9db48c0bf.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2016-01-12 15:56:29 +01:00
parent 27fa70fdfe
commit 782c4ab4ed
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
libavcodec/truemotion2.c
View File

@ -344,31 +344,35 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
/* check if we have sane number of tokens */ /* check if we have sane number of tokens */
if ((toks < 0) || (toks > 0xFFFFFF)) { if ((toks < 0) || (toks > 0xFFFFFF)) {
av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks); av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks);
tm2_free_codes(&codes); ret = AVERROR_INVALIDDATA;
return AVERROR_INVALIDDATA; goto end;
} }
ret = av_reallocp_array(&ctx->tokens[stream_id], toks, sizeof(int)); ret = av_reallocp_array(&ctx->tokens[stream_id], toks, sizeof(int));
if (ret < 0) { if (ret < 0) {
ctx->tok_lens[stream_id] = 0; ctx->tok_lens[stream_id] = 0;
return ret; goto end;
} }
ctx->tok_lens[stream_id] = toks; ctx->tok_lens[stream_id] = toks;
len = bytestream2_get_be32(&gb); len = bytestream2_get_be32(&gb);
if (len > 0) { if (len > 0) {
pos = bytestream2_tell(&gb); pos = bytestream2_tell(&gb);
if (skip <= pos) if (skip <= pos) {
return AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
goto end;
}
init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8); init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
for (i = 0; i < toks; i++) { for (i = 0; i < toks; i++) {
if (get_bits_left(&ctx->gb) <= 0) { if (get_bits_left(&ctx->gb) <= 0) {
av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks); av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks);
return AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
goto end;
} }
ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes); ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes);
if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS || ctx->tokens[stream_id][i]<0) { if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS || ctx->tokens[stream_id][i]<0) {
av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n",
ctx->tokens[stream_id][i], stream_id, i); ctx->tokens[stream_id][i], stream_id, i);
return AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
goto end;
} }
} }
} else { } else {
@ -377,13 +381,17 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) {
av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n",
ctx->tokens[stream_id][i], stream_id, i); ctx->tokens[stream_id][i], stream_id, i);
return AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
goto end;
} }
} }
} }
tm2_free_codes(&codes);
return skip; ret = skip;
end:
tm2_free_codes(&codes);
return ret;
} }
static inline int GET_TOK(TM2Context *ctx,int type) static inline int GET_TOK(TM2Context *ctx,int type)