Hi, the last commit to lavf/mov.c might leave the metadata buffer allocated in certain error conditions. This patch fixes it.
-Thilo
From a2fabe107796cf0af5cd18310fad178c5650b168 Mon Sep 17 00:00:00 2001 From: Thilo Borgmann <thilo.borgm...@mail.de> Date: Tue, 21 Oct 2014 10:10:55 +0200 Subject: [PATCH] lavf/mov.c: Prevent memory leak in case of invalid metadata reads. --- libavformat/mov.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a7ec910..80549ec 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -355,16 +355,16 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) } #endif - str_size_alloc = str_size << 1; // worst-case requirement for output string in case of utf8 coded input - str = av_malloc(str_size_alloc); - if (!str) - return AVERROR(ENOMEM); - if (!key) return 0; if (atom.size < 0) return AVERROR_INVALIDDATA; + str_size_alloc = str_size << 1; // worst-case requirement for output string in case of utf8 coded input + str = av_malloc(str_size_alloc); + if (!str) + return AVERROR(ENOMEM); + if (parse) parse(c, pb, str_size, key); else { @@ -372,8 +372,10 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) mov_read_mac_string(c, pb, str_size, str, str_size_alloc); } else { int ret = avio_read(pb, str, str_size); - if (ret != str_size) + if (ret != str_size) { + av_freep(&str); return ret < 0 ? ret : AVERROR_INVALIDDATA; + } str[str_size] = 0; } c->fc->event_flags |= AVFMT_EVENT_FLAG_METADATA_UPDATED; -- 1.9.3 (Apple Git-50)
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel