[FFmpeg-devel] [PATCH v2] lavc/cbs_h2645_syntax_template: Fix memleak

Andreas Rheinhardt andreas.rheinhardt at gmail.com
Mon Dec 16 17:00:33 EET 2019 

On Fri, Dec 6, 2019 at 8:22 PM Andriy Gelman <andriy.gelman at gmail.com>
wrote:

> From: Andriy Gelman <andriy.gelman at gmail.com>
>
> payload_count is used to track the number of SEI payloads. It is also
> used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().
>
> Currently, payload_count is set after for loop is completed. Hence if
> there is an error and the function exits, the payload remains zero
> causing a memleak.
>
> This commit keeps track of payload_count inside the for loop to fix the
> issue. Note that that the contents of current are initialized with
> av_mallocz() so there is no need to zero initialize payload_count.
>
> Found-by: libFuzzer
> Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
> ---
>  libavcodec/cbs_h264_syntax_template.c | 2 +-
>  libavcodec/cbs_h265_syntax_template.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/cbs_h264_syntax_template.c
> b/libavcodec/cbs_h264_syntax_template.c
> index 1671a15d330..878d348b948 100644
> --- a/libavcodec/cbs_h264_syntax_template.c
> +++ b/libavcodec/cbs_h264_syntax_template.c
> @@ -954,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx,
> RWContext *rw,
>          current->payload[k].payload_type = payload_type;
>          current->payload[k].payload_size = payload_size;
>
> +        current->payload_count++;
>          CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k]));
>
>          if (!cbs_h2645_read_more_rbsp_data(rw))
> @@ -964,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx,
> RWContext *rw,
>                 "SEI message: found %d.\n", k);
>          return AVERROR_INVALIDDATA;
>      }
> -    current->payload_count = k + 1;
>  #else
>      for (k = 0; k < current->payload_count; k++) {
>          PutBitContext start_state;
> diff --git a/libavcodec/cbs_h265_syntax_template.c
> b/libavcodec/cbs_h265_syntax_template.c
> index 54570929ec7..15114548c60 100644
> --- a/libavcodec/cbs_h265_syntax_template.c
> +++ b/libavcodec/cbs_h265_syntax_template.c
> @@ -2184,6 +2184,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx,
> RWContext *rw,
>          current->payload[k].payload_type = payload_type;
>          current->payload[k].payload_size = payload_size;
>
> +        current->payload_count++;
>          CHECK(FUNC(sei_payload)(ctx, rw, &current->payload[k], prefix));
>
>          if (!cbs_h2645_read_more_rbsp_data(rw))
> @@ -2194,7 +2195,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx,
> RWContext *rw,
>                 "SEI message: found %d.\n", k);
>          return AVERROR_INVALIDDATA;
>      }
> -    current->payload_count = k + 1;
>  #else
>      for (k = 0; k < current->payload_count; k++) {
>          PutBitContext start_state;
> --
>
>
LGTM.

- Andreas

More information about the ffmpeg-devel mailing list