[FFmpeg-cvslog] ttadec: fix invalid free when an error occurs while decoding 24-bit tta

[Justin Ruggles]

ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Thu Feb  9 14:49:59 2012 -0500| [6ab681a4c1ffc0d5c36ebf13a10e0ecc61c81429] | committer: Justin Ruggles

ttadec: fix invalid free when an error occurs while decoding 24-bit tta

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ab681a4c1ffc0d5c36ebf13a10e0ecc61c81429
---

 libavcodec/tta.c |   23 +++++++++++++++++------
 1 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 49d5953..853f6a2 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -339,12 +339,16 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
             unary--;
         }
 
-        if (get_bits_left(&s->gb) < k)
-            return -1;
+        if (get_bits_left(&s->gb) < k) {
+            ret = AVERROR_INVALIDDATA;
+            goto error;
+        }
 
         if (k) {
-            if (k > MIN_CACHE_BITS)
-                return -1;
+            if (k > MIN_CACHE_BITS) {
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
             value = (unary << k) + get_bits(&s->gb, k);
         } else
             value = unary;
@@ -397,8 +401,10 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
         }
     }
 
-    if (get_bits_left(&s->gb) < 32)
-        return -1;
+    if (get_bits_left(&s->gb) < 32) {
+        ret = AVERROR_INVALIDDATA;
+        goto error;
+    }
     skip_bits_long(&s->gb, 32); // frame crc
 
     // convert to output buffer
@@ -419,6 +425,11 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
     *(AVFrame *)data = s->frame;
 
     return buf_size;
+error:
+    // reset decode buffer
+    if (s->bps == 3)
+        s->decode_buffer = NULL;
+    return ret;
 }
 
 static av_cold int tta_decode_close(AVCodecContext *avctx) {