oggdec: make sure the private parse data is cleaned up

(cherry picked from commit d894f74762)

Related to CVE-2012-2882

Conflicts:

	libavformat/oggdec.h
	libavformat/oggparsevorbis.c

libavformat/oggdec.c

@@ -508,6 +508,10 @@ static int ogg_read_close(AVFormatContext *s)
 
     for (i = 0; i < ogg->nstreams; i++) {
         av_free(ogg->streams[i].buf);
+        if (ogg->streams[i].codec &&
+            ogg->streams[i].codec->cleanup) {
+            ogg->streams[i].codec->cleanup(s, i);
+        }
         av_free(ogg->streams[i].private);
     }
     av_free(ogg->streams);

libavformat/oggdec.h

@@ -51,6 +51,11 @@ struct ogg_codec {
      * 0 if granule is the end time of the associated packet.
      */
     int granule_is_start;
+    /**
+     * Number of expected headers
+     */
+    int nb_header;
+    void (*cleanup)(AVFormatContext *s, int idx);
 };
 
 struct ogg_stream {

libavformat/oggparsevorbis.c

@@ -188,6 +188,16 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv,
     return offset;
 }
 
+static int vorbis_cleanup(AVFormatContext *s, int idx)
+{
+    struct ogg *ogg = s->priv_data;
+    struct ogg_stream *os = ogg->streams + idx;
+    struct oggvorbis_private *priv = os->private;
+    int i;
+    if (os->private)
+        for (i = 0; i < 3; i++)
+            av_freep(&priv->packet[i]);
+}
 
 static int
 vorbis_header (AVFormatContext * s, int idx)
@@ -278,5 +288,7 @@ vorbis_header (AVFormatContext * s, int idx)
 const struct ogg_codec ff_vorbis_codec = {
     .magic = "\001vorbis",
     .magicsize = 7,
-    .header = vorbis_header
+    .header = vorbis_header,
+    .cleanup= vorbis_cleanup,
+    .nb_header = 3,
 };