[FFmpeg-cvslog] jpeg2000: fix dereferencing invalid pointers during cleanup

[Vittorio Giovara]

ffmpeg | branch: release/2.2 | Vittorio Giovara <vittorio.giovara at gmail.com> | Sun Mar  9 18:52:40 2014 +0100| [74f6df745a05d3d8b3dcfc28992c69a70ae87957] | committer: Luca Barbato

jpeg2000: fix dereferencing invalid pointers during cleanup

CC: libav-stable at libav.org
Found-by: Laurent Butti <laurentb at gmail.com>
Signed-off-by: Vittorio Giovara <vittorio.giovara at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74f6df745a05d3d8b3dcfc28992c69a70ae87957
---

 libavcodec/jpeg2000.c |   31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index bf46398..154409e 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -228,7 +228,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
         if (!comp->i_data)
             return AVERROR(ENOMEM);
     }
-    comp->reslevel = av_malloc_array(codsty->nreslevels, sizeof(*comp->reslevel));
+    comp->reslevel = av_mallocz_array(codsty->nreslevels, sizeof(*comp->reslevel));
     if (!comp->reslevel)
         return AVERROR(ENOMEM);
     /* LOOP on resolution levels */
@@ -276,7 +276,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
                                         reslevel->log2_prec_height) -
                 (reslevel->coord[1][0] >> reslevel->log2_prec_height);
 
-        reslevel->band = av_malloc_array(reslevel->nbands, sizeof(*reslevel->band));
+        reslevel->band = av_mallocz_array(reslevel->nbands, sizeof(*reslevel->band));
         if (!reslevel->band)
             return AVERROR(ENOMEM);
 
@@ -372,9 +372,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
             for (j = 0; j < 2; j++)
                 band->coord[1][j] = ff_jpeg2000_ceildiv(band->coord[1][j], dy);
 
-            band->prec = av_malloc_array(reslevel->num_precincts_x *
-                                         reslevel->num_precincts_y,
-                                         sizeof(*band->prec));
+            band->prec = av_mallocz_array(reslevel->num_precincts_x *
+                                          reslevel->num_precincts_y,
+                                          sizeof(*band->prec));
             if (!band->prec)
                 return AVERROR(ENOMEM);
 
@@ -487,15 +487,30 @@ void ff_jpeg2000_cleanup(Jpeg2000Component *comp, Jpeg2000CodingStyle *codsty)
     for (reslevelno = 0;
          comp->reslevel && reslevelno < codsty->nreslevels;
          reslevelno++) {
-        Jpeg2000ResLevel *reslevel = comp->reslevel + reslevelno;
+        Jpeg2000ResLevel *reslevel;
+
+        if (!comp->reslevel)
+            continue;
 
+        reslevel = comp->reslevel + reslevelno;
         for (bandno = 0; bandno < reslevel->nbands; bandno++) {
-            Jpeg2000Band *band = reslevel->band + bandno;
+            Jpeg2000Band *band;
+
+            if (!reslevel->band)
+                continue;
+
+            band = reslevel->band + bandno;
             for (precno = 0; precno < reslevel->num_precincts_x * reslevel->num_precincts_y; precno++) {
-                Jpeg2000Prec *prec = band->prec + precno;
+                Jpeg2000Prec *prec;
+
+                if (!band->prec)
+                    continue;
+
+                prec = band->prec + precno;
                 av_freep(&prec->zerobits);
                 av_freep(&prec->cblkincl);
                 av_freep(&prec->cblk);
+
             }
 
             av_freep(&band->prec);