[libav-devel] [PATCH] ogg: check memory allocations

Nidhi Makhijani Thu, 05 Jun 2014 00:52:20 -0700

---
 libavformat/oggdec.c | 100 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 69 insertions(+), 31 deletions(-)


diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index ae9da3a..604c1f6 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -59,10 +59,13 @@ static const struct ogg_codec * const ogg_codecs[] = {
 //FIXME We could avoid some structure duplication
 static int ogg_save(AVFormatContext *s)
 {
+    int i;
     struct ogg *ogg = s->priv_data;
     struct ogg_state *ost =
         av_malloc(sizeof(*ost) + (ogg->nstreams - 1) * sizeof(*ogg->streams));
-    int i;
+    if (!ost)
+        return AVERROR(ENOMEM);
+
     ost->pos      = avio_tell(s->pb);
     ost->curidx   = ogg->curidx;
     ost->next     = ogg->state;
@@ -72,6 +75,13 @@ static int ogg_save(AVFormatContext *s)
     for (i = 0; i < ogg->nstreams; i++) {
         struct ogg_stream *os = ogg->streams + i;
         os->buf = av_mallocz(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
+        if (!os->buf) {
+            int n;
+            for (n = 0; n < i; n++)
+                av_free(ogg->streams[n].buf);
+            av_freep(&ost);
+            return AVERROR(ENOMEM);
+        }
         memcpy(os->buf, ost->streams[i].buf, os->bufpos);
     }
 
@@ -169,14 +179,21 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t 
serial, int new_avstream)
     os                = ogg->streams + idx;
     os->serial        = serial;
     os->bufsize       = DECODER_BUFFER_SIZE;
-    os->buf           = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
     os->header        = -1;
     os->start_granule = OGG_NOGRANULE_VALUE;
+    os->buf           = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
+    if (!os->buf) {
+        av_freep(&os);
+        return AVERROR(ENOMEM);
+    }
 
     if (new_avstream) {
         st = avformat_new_stream(s, NULL);
-        if (!st)
+        if (!st) {
+            av_freep(&os->buf);
+            av_freep(&os);
             return AVERROR(ENOMEM);
+        }
 
         st->id = idx;
         avpriv_set_pts_info(st, 64, 1, 1000000);
@@ -188,8 +205,11 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t 
serial, int new_avstream)
 static int ogg_new_buf(struct ogg *ogg, int idx)
 {
     struct ogg_stream *os = ogg->streams + idx;
-    uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
     int size = os->bufpos - os->pstart;
+    uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
+
+    if (!nb)
+        return AVERROR(ENOMEM);
 
     if (os->buf) {
         memcpy(nb, os->buf + os->pstart, size);
@@ -276,8 +296,11 @@ static int ogg_read_page(AVFormatContext *s, int *str)
     os = ogg->streams + idx;
     os->page_pos = avio_tell(bc) - 27;
 
-    if (os->psize > 0)
-        ogg_new_buf(ogg, idx);
+    if (os->psize > 0) {
+        ret = ogg_new_buf(ogg, idx);
+        if (ret < 0)
+            return ret;
+    }
 
     ret = avio_read(bc, os->segments, nsegs);
     if (ret < nsegs)
@@ -494,10 +517,29 @@ static int ogg_get_headers(AVFormatContext *s)
     return 0;
 }
 
-static int ogg_get_length(AVFormatContext *s)
+
+static int ogg_read_close(AVFormatContext *s)
 {
     struct ogg *ogg = s->priv_data;
     int i;
+
+    for (i = 0; i < ogg->nstreams; i++) {
+        av_free(ogg->streams[i].buf);
+        if (ogg->streams[i].codec &&
+            ogg->streams[i].codec->cleanup) {
+            ogg->streams[i].codec->cleanup(s, i);
+        }
+        av_free(ogg->streams[i].private);
+    }
+    av_free(ogg->state);
+    av_free(ogg->streams);
+    return 0;
+}
+
+static int ogg_get_length(AVFormatContext *s)
+{
+    struct ogg *ogg = s->priv_data;
+    int i, ret = 0;
     int64_t size, end;
 
     if (!s->pb->seekable)
@@ -512,7 +554,10 @@ static int ogg_get_length(AVFormatContext *s)
         return 0;
     end = size > MAX_PAGE_SIZE ? size - MAX_PAGE_SIZE : 0;
 
-    ogg_save(s);
+    ret = ogg_save(s);
+    if (ret < 0)
+        goto fail;
+
     avio_seek(s->pb, end, SEEK_SET);
 
     while (!ogg_read_page(s, &i)) {
@@ -525,26 +570,15 @@ static int ogg_get_length(AVFormatContext *s)
         }
     }
 
-    ogg_restore(s, 0);
-
-    return 0;
-}
+    ret = ogg_restore(s, 0);
+    if (ret < 0)
+        goto fail;
 
-static int ogg_read_close(AVFormatContext *s)
-{
-    struct ogg *ogg = s->priv_data;
-    int i;
+    return ret;
 
-    for (i = 0; i < ogg->nstreams; i++) {
-        av_free(ogg->streams[i].buf);
-        if (ogg->streams[i].codec &&
-            ogg->streams[i].codec->cleanup) {
-            ogg->streams[i].codec->cleanup(s, i);
-        }
-        av_free(ogg->streams[i].private);
-    }
-    av_free(ogg->streams);
-    return 0;
+fail:
+    ogg_read_close(s);
+    return ret;
 }
 
 static int ogg_read_header(AVFormatContext *s)
@@ -554,20 +588,24 @@ static int ogg_read_header(AVFormatContext *s)
     ogg->curidx = -1;
     //linear headers seek from start
     ret = ogg_get_headers(s);
-    if (ret < 0) {
-        ogg_read_close(s);
-        return ret;
-    }
+    if (ret < 0)
+        goto fail;
 
     for (i = 0; i < ogg->nstreams; i++)
         if (ogg->streams[i].header < 0)
             ogg->streams[i].codec = NULL;
 
     //linear granulepos seek from end
-    ogg_get_length(s);
+    ret = ogg_get_length(s);
+    if (ret < 0)
+        goto fail;
 
     //fill the extradata in the per codec callbacks
     return 0;
+
+fail:
+    ogg_read_close(s);
+    return ret;
 }
 
 static int64_t ogg_calc_pts(AVFormatContext *s, int idx, int64_t *dts)
-- 
1.9.1

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] ogg: check memory allocations

Reply via email to