[FFmpeg-devel] [PATCH] mov: Fix leaking memory with multiple drefs.

Michael Niedermayer michaelni at gmx.at
Fri Apr 13 11:51:44 CEST 2012


On Thu, Apr 12, 2012 at 05:56:57PM -0700, dalecurtis at chromium.org wrote:
> From: Dale Curtis <dalecurtis at chromium.org>
> 
> Instead of allocating over the original, free first. MOVStreamContext
> is zero initialized so no double free will occur. Same style as other
> fixes for the same problem in this file.
> 
> Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
> ---
>  libavformat/mov.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index b4ff1df..7075033 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -400,6 +400,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>      entries = avio_rb32(pb);
>      if (entries >= UINT_MAX / sizeof(*sc->drefs))
>          return AVERROR_INVALIDDATA;
> +    av_free(sc->drefs);

this needs a  sc->drefs_count = 0
for the case that the mallocz fails otherwise we might be left with a
NULL dref and >0 drefs_count possibly

ill fix the similar cases in mov that do this free atm


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120413/d9fe0ac2/attachment.asc>


More information about the ffmpeg-devel mailing list