highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/movtextdec: Fix decode_styl() cleanup

Browse Source 
Fixes: null pointer dereference
Fixes: 555/clusterfuzz-testcase-5986646595993600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-02-06 11:17:10 +01:00
parent 4fcdc9f359
commit e248522d1b
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/movtextdec.c
View File

@ -116,6 +116,8 @@ static void mov_text_cleanup(MovTextContext *m)
av_freep(&m->s[i]); av_freep(&m->s[i]);
} }
av_freep(&m->s); av_freep(&m->s);
m->count_s = 0;
m->style_entries = 0;
} }
} }
@ -279,12 +281,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
{ {
int i; int i;
m->style_entries = AV_RB16(tsmb); int style_entries = AV_RB16(tsmb);
tsmb += 2; tsmb += 2;
// A single style record is of length 12 bytes. // A single style record is of length 12 bytes.
if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size) if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size)
return -1; return -1;
m->style_entries = style_entries;
m->box_flags |= STYL_BOX; m->box_flags |= STYL_BOX;
for(i = 0; i < m->style_entries; i++) { for(i = 0; i < m->style_entries; i++) {
m->s_temp = av_malloc(sizeof(*m->s_temp)); m->s_temp = av_malloc(sizeof(*m->s_temp));