Re: [libav-devel] [PATCH 4/5] [RFC] jpeg2000: fix dereferencing invalid pointers

Wed, 27 Nov 2013 16:38:25 -0800 

On 27/11/13 17:11, Vittorio Giovara wrote:
> From: Michael Niedermayer <[email protected]>
> 
> Found-by: Laurent Butti <[email protected]>
> ---
> No sample to check the validity of the fix, although it seems correct.
> Vittorio


Use av_mallocz_array if you have to.

>  libavcodec/jpeg2000.c |   18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
> index bf46398..8149125 100644
> --- a/libavcodec/jpeg2000.c
> +++ b/libavcodec/jpeg2000.c
> @@ -276,7 +276,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
>                                          reslevel->log2_prec_height) -
>                  (reslevel->coord[1][0] >> reslevel->log2_prec_height);
>  
> -        reslevel->band = av_malloc_array(reslevel->nbands, 
> sizeof(*reslevel->band));
> +        reslevel->band = av_mallocz(reslevel->nbands * 
> sizeof(*reslevel->band));
>          if (!reslevel->band)
>              return AVERROR(ENOMEM);
>  
> @@ -372,9 +372,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
>              for (j = 0; j < 2; j++)
>                  band->coord[1][j] = ff_jpeg2000_ceildiv(band->coord[1][j], 
> dy);
>  
> -            band->prec = av_malloc_array(reslevel->num_precincts_x *
> -                                         reslevel->num_precincts_y,
> -                                         sizeof(*band->prec));
> +            band->prec = av_mallocz(reslevel->num_precincts_x *
> +                                    reslevel->num_precincts_y *
> +                                    sizeof(*band->prec));
>              if (!band->prec)
>                  return AVERROR(ENOMEM);
>  

> @@ -492,10 +492,12 @@ void ff_jpeg2000_cleanup(Jpeg2000Component *comp, 
> Jpeg2000CodingStyle *codsty)
>          for (bandno = 0; bandno < reslevel->nbands; bandno++) {
>              Jpeg2000Band *band = reslevel->band + bandno;
>              for (precno = 0; precno < reslevel->num_precincts_x * 
> reslevel->num_precincts_y; precno++) {
> -                Jpeg2000Prec *prec = band->prec + precno;
> -                av_freep(&prec->zerobits);
> -                av_freep(&prec->cblkincl);
> -                av_freep(&prec->cblk);
> +                if (band->prec) {
> +                    Jpeg2000Prec *prec = band->prec + precno;
> +                    av_freep(&prec->zerobits);
> +                    av_freep(&prec->cblkincl);
> +                    av_freep(&prec->cblk);
> +                }
>              }

Looks like the code has a incomplete failpath and who found the problem
decided that the easiest is spending a little more time on alloc/free.

Nicolas can you guess where the actual problem might be?

lu




_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to