From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 0C80E4E916
	for <ffmpegdev@gitmailbox.com>; Thu,  8 May 2025 14:13:47 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 28D5A68B92C;
	Thu,  8 May 2025 17:13:43 +0300 (EEST)
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D5D5968B92C
 for <ffmpeg-devel@ffmpeg.org>; Thu,  8 May 2025 17:13:36 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 0083C1FCE8
 for <ffmpeg-devel@ffmpeg.org>; Thu,  8 May 2025 14:13:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1746713616;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=PP6Qcp2iw3bqERqjIkkYAi+A0J/ipcnCLztu27ChyVc=;
 b=bh2wqjlfYWHlaJ2UvVR82rBCnRLLN0JJSzbzz5BEznEzCYe1jRJN6xeaEYA8bO7xHhwRzE
 glst3ZrIBesu8q+bLOD1PIGPgmGo1c6DCytAG0dPIQc7pngXJQuojM6LX7Ipxmt8TixuFf
 P97Wp872KG4NrfiiRZheIKd0ON3RPy5eMzxu+lESYe/IsBQOpBa3yDbyv4vdcA1srmQNXO
 YSmTIIXUyuImhJ4fvFWtCg7x29SHxYWDKGPjbtkAEnu8l5c8RfhjYv5gysCNWDtnMmntAB
 ewP9NCaQat4yHoCtkQGIc51tNaAowplzpKFdoyT9UR6BVcDOzTgzw72maeXktg==
Date: Thu, 8 May 2025 16:13:34 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250508141334.GN29660@pb2>
References: <20250209022421.2346210-1-michael@niedermayer.cc>
 <20250209022421.2346210-3-michael@niedermayer.cc>
 <DU0P250MB0747AD278DB8C8E9143CC4938FF22@DU0P250MB0747.EURP250.PROD.OUTLOOK.COM>
 <20250216143429.GD4991@pb2>
MIME-Version: 1.0
In-Reply-To: <20250216143429.GD4991@pb2>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvkeelleehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeetgfegvdffieeuffevhfeitdfgfeejudekfeegteegveegjeegkedvveejleevkeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeguddrieeirdeijedruddufeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeijedruddufedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH 3/6] avcodec/aac/aacdec_usac: Fix memory
 deallocation of pl_data
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============8830059730375690783=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250508141334.GN29660@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============8830059730375690783==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="uWbmMdDzzl2TXAgx"
Content-Disposition: inline


--uWbmMdDzzl2TXAgx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Feb 16, 2025 at 03:34:29PM +0100, Michael Niedermayer wrote:
> On Mon, Feb 10, 2025 at 05:34:38PM +0100, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > Fixes: double free
> > > Fixes: 393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AA=
C_LATM_fuzzer-6740617236905984
> > >=20
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fu=
zz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/aac/aacdec.c      | 19 +++++++++++++++++--
> > >  libavcodec/aac/aacdec_usac.c |  3 ++-
> > >  2 files changed, 19 insertions(+), 3 deletions(-)
> > >=20
> > > diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
> > > index 8d50ad6d095..16259b5ada9 100644
> > > --- a/libavcodec/aac/aacdec.c
> > > +++ b/libavcodec/aac/aacdec.c
> > > @@ -421,6 +421,21 @@ static uint64_t sniff_channel_order(uint8_t (*la=
yout_map)[3], int tags)
> > >      return layout;
> > >  }
> > > =20
> > > +static void copy_oc(OutputConfiguration *dst, OutputConfiguration *s=
rc)
> > > +{
> > > +    int err =3D 0;
> >=20
> > Seems unused.
>=20
> i saw it after sending the patch
>=20
>=20
> >=20
> > > +
> > > +    for(int i =3D 0; i < dst->usac.nb_elems; i++)
> > > +        av_freep(&dst->usac.elems[i].ext.pl_data);
> > > +
> > > +    *dst =3D *src;
> > > +
> > > +    for(int i =3D 0; i < dst->usac.nb_elems; i++) {
> > > +        AACUsacElemConfig *e =3D &dst->usac.elems[i];
> > > +        e->ext.pl_data =3D av_memdup(e->ext.pl_data, e->ext.pl_data_=
offset);
> >=20
> > Unchecked allocation. Furthermore, the *dst =3D *src makes cleanup on
> > error here a PITA.
>=20
> > Would making pl_data reference-counted (via
> > RefStruct) work instead?
>=20
> likely, yes

> do you want to implement that ?

ping

thx

[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.

--uWbmMdDzzl2TXAgx
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaBy8CAAKCRBhHseHBAsP
q/DwAJ0cZ5GmZx5GwWtBtyqgq+syUkOA2wCfTqbNbQ5mtEZgZf7LJF55VA+447s=
=Ab4A
-----END PGP SIGNATURE-----

--uWbmMdDzzl2TXAgx--

--===============8830059730375690783==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============8830059730375690783==--