[FFmpeg-devel] [PATCH] mov: Fix leaking memory with multiple drefs.

Michael Niedermayer michaelni at gmx.at
Fri Apr 13 11:59:00 CEST 2012


On Fri, Apr 13, 2012 at 11:51:44AM +0200, Michael Niedermayer wrote:
> On Thu, Apr 12, 2012 at 05:56:57PM -0700, dalecurtis at chromium.org wrote:
> > From: Dale Curtis <dalecurtis at chromium.org>
> > 
> > Instead of allocating over the original, free first. MOVStreamContext
> > is zero initialized so no double free will occur. Same style as other
> > fixes for the same problem in this file.
> > 
> > Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
> > ---
> >  libavformat/mov.c |    1 +
> >  1 files changed, 1 insertions(+), 0 deletions(-)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index b4ff1df..7075033 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -400,6 +400,7 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >      entries = avio_rb32(pb);
> >      if (entries >= UINT_MAX / sizeof(*sc->drefs))
> >          return AVERROR_INVALIDDATA;
> > +    av_free(sc->drefs);
> 
> this needs a  sc->drefs_count = 0
> for the case that the mallocz fails otherwise we might be left with a
> NULL dref and >0 drefs_count possibly

alternatively av_realloc() could be used as it leaves the original
intact in case of failure


> 
> ill fix the similar cases in mov that do this free atm

done, seems it was only extradata that was affected

[...]


-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

What does censorship reveal? It reveals fear. -- Julian Assange
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20120413/bf982c26/attachment.asc>


More information about the ffmpeg-devel mailing list