On 5/26/2014 3:56 PM, Nidhi Makhijani wrote:
> @@ -91,8 +91,10 @@ static int rm_read_extradata(AVIOContext *pb,
> AVCodecContext *avctx, unsigned si
> return AVERROR(ENOMEM);
> avctx->extradata_size = avio_read(pb, avctx->extradata, size);
> memset(avctx->extradata + avctx->extradata_size, 0,
> FF_INPUT_BUFFER_PADDING_SIZE);
> - if (avctx->extradata_size != size)
> + if (avctx->extradata_size != size) {
> + av_free(&avctx->extradata_size);
> return AVERROR(EIO);
> + }
extradata_size is not alloc'd.
> @@ -415,8 +419,12 @@ static int rm_read_header_old(AVFormatContext *s)
> rm->old_format = 1;
> st = avformat_new_stream(s, NULL);
> if (!st)
> - return -1;
> + return AVERROR(ENOMEM);
> st->priv_data = ff_rm_alloc_rmstream();
> + if (!st->priv_data) {
> + av_free(st);
> + return AVERROR(ENOMEM);
> + }
>From the doxy:
User is required to call avcodec_close() and avformat_free_context() to
clean up the allocation by avformat_new_stream().
> @@ -494,9 +502,16 @@ static int rm_read_header(AVFormatContext *s)
> get_str8(pb, buf, sizeof(buf)); /* mimetype */
> st->codec->codec_type = AVMEDIA_TYPE_DATA;
> st->priv_data = ff_rm_alloc_rmstream();
> + if (!st->priv_data) {
> + av_free(st);
> + return AVERROR(ENOMEM);
> + }
Ditto.
> if (ff_rm_read_mdpr_codecdata(s, s->pb, st, st->priv_data,
> - avio_rb32(pb)) < 0)
> + avio_rb32(pb)) < 0) {
> + av_free(st);
> + av_free(st->priv_data);
This will be a null deref.
> if(av_new_packet(pkt, len + 9) < 0)
> - return AVERROR(EIO);
> + return AVERROR(ENOMEM);
Should be a separate patch.
- Derek
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
