[FFmpeg-devel] [PATCH v1 4/6] avcodec/magicyuv: fix for the memory leak if failed

Fri Oct 11 09:14:42 EEST 2019

From: Limin Wang <lance.lmwang at gmail.com>

Signed-off-by: Limin Wang <lance.lmwang at gmail.com>
---
 libavcodec/magicyuv.c | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
index 0b1ac7345a..c905c2ca22 100644
--- a/libavcodec/magicyuv.c
+++ b/libavcodec/magicyuv.c
@@ -661,12 +661,16 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
 
     for (i = 0; i < s->planes; i++) {
         av_fast_malloc(&s->slices[i], &s->slices_size[i], s->nb_slices * sizeof(Slice));
-        if (!s->slices[i])
-            return AVERROR(ENOMEM);
+        if (!s->slices[i]) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
 
         offset = bytestream2_get_le32(&gbyte);
-        if (offset >= avpkt->size - header_size)
-            return AVERROR_INVALIDDATA;
+        if (offset >= avpkt->size - header_size) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
 
         if (i == 0)
             first_offset = offset;
@@ -675,8 +679,10 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
             s->slices[i][j].start = offset + header_size;
 
             next_offset = bytestream2_get_le32(&gbyte);
-            if (next_offset <= offset || next_offset >= avpkt->size - header_size)
-                return AVERROR_INVALIDDATA;
+            if (next_offset <= offset || next_offset >= avpkt->size - header_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
 
             s->slices[i][j].size = next_offset - offset;
             offset = next_offset;
@@ -686,28 +692,32 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
         s->slices[i][j].size  = avpkt->size - s->slices[i][j].start;
     }
 
-    if (bytestream2_get_byte(&gbyte) != s->planes)
-        return AVERROR_INVALIDDATA;
+    if (bytestream2_get_byte(&gbyte) != s->planes) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
 
     bytestream2_skip(&gbyte, s->nb_slices * s->planes);
 
     table_size = header_size + first_offset - bytestream2_tell(&gbyte);
-    if (table_size < 2)
-        return AVERROR_INVALIDDATA;
+    if (table_size < 2) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
 
     ret = init_get_bits8(&gbit, avpkt->data + bytestream2_tell(&gbyte), table_size);
     if (ret < 0)
-        return ret;
+        goto fail;
 
     ret = build_huffman(avctx, &gbit, s->max);
     if (ret < 0)
-        return ret;
+        goto fail;
 
     p->pict_type = AV_PICTURE_TYPE_I;
     p->key_frame = 1;
 
     if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0)
-        return ret;
+        goto fail;
 
     s->buf = avpkt->data;
     s->p = p;
@@ -736,6 +746,13 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data,
     *got_frame = 1;
 
     return avpkt->size;
+
+fail:
+    for (i = 0; i < FF_ARRAY_ELEMS(s->slices); i++) {
+        av_freep(&s->slices[i]);
+        s->slices_size[i] = 0;
+    }
+    return ret;
 }
 
 #if HAVE_THREADS
-- 
2.21.0

