jpeg2000: fix dereferencing invalid pointers during cleanup

CC: libav-stable@libav.org Found-by: Laurent Butti <laurentb@gmail.com> Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
2014-03-09 18:52:40 +01:00
parent 46c477c2a1
commit 74f6df745a
1 changed files with 23 additions and 8 deletions
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -228,7 +228,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
        if (!comp->i_data)
            return AVERROR(ENOMEM);
    }
-    comp->reslevel = av_malloc_array(codsty->nreslevels, sizeof(*comp->reslevel));
+    comp->reslevel = av_mallocz_array(codsty->nreslevels, sizeof(*comp->reslevel));
    if (!comp->reslevel)
        return AVERROR(ENOMEM);
    /* LOOP on resolution levels */
@@ -276,7 +276,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
                                        reslevel->log2_prec_height) -
                (reslevel->coord[1][0] >> reslevel->log2_prec_height);
-        reslevel->band = av_malloc_array(reslevel->nbands, sizeof(*reslevel->band));
+        reslevel->band = av_mallocz_array(reslevel->nbands, sizeof(*reslevel->band));
        if (!reslevel->band)
            return AVERROR(ENOMEM);
@@ -372,7 +372,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
            for (j = 0; j < 2; j++)
                band->coord[1][j] = ff_jpeg2000_ceildiv(band->coord[1][j], dy);
-            band->prec = av_malloc_array(reslevel->num_precincts_x *
+            band->prec = av_mallocz_array(reslevel->num_precincts_x *
                                          reslevel->num_precincts_y,
                                          sizeof(*band->prec));
            if (!band->prec)
@@ -487,15 +487,30 @@ void ff_jpeg2000_cleanup(Jpeg2000Component *comp, Jpeg2000CodingStyle *codsty)
    for (reslevelno = 0;
         comp->reslevel && reslevelno < codsty->nreslevels;
         reslevelno++) {
-        Jpeg2000ResLevel *reslevel = comp->reslevel + reslevelno;
+        Jpeg2000ResLevel *reslevel;
        if (!comp->reslevel)
            continue;
        reslevel = comp->reslevel + reslevelno;
        for (bandno = 0; bandno < reslevel->nbands; bandno++) {
-            Jpeg2000Band *band = reslevel->band + bandno;
+            Jpeg2000Band *band;
            if (!reslevel->band)
                continue;
            band = reslevel->band + bandno;
            for (precno = 0; precno < reslevel->num_precincts_x * reslevel->num_precincts_y; precno++) {
-                Jpeg2000Prec *prec = band->prec + precno;
+                Jpeg2000Prec *prec;
                if (!band->prec)
                    continue;
                prec = band->prec + precno;
                av_freep(&prec->zerobits);
                av_freep(&prec->cblkincl);
                av_freep(&prec->cblk);
            }
            av_freep(&band->prec);