From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 021E04CC52
	for <ffmpegdev@gitmailbox.com>; Fri, 27 Jun 2025 14:09:43 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1304468D2E2;
	Fri, 27 Jun 2025 17:09:39 +0300 (EEST)
Received: from mail-pl1-f196.google.com (mail-pl1-f196.google.com
 [209.85.214.196])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 2525268D1AE
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Jun 2025 17:09:32 +0300 (EEST)
Received: by mail-pl1-f196.google.com with SMTP id
 d9443c01a7336-23602481460so24872735ad.0
 for <ffmpeg-devel@ffmpeg.org>; Fri, 27 Jun 2025 07:09:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1751033370; x=1751638170; darn=ffmpeg.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Cu1CCXVND/E0cLou5ZZNZMlxa3CKHGyoJSyrWayKLHU=;
 b=Pw8YQKJleW+Ef4kfVWj0y9HE8EP/4QlyeOpghwD8ApHfj7+4Alz0QZSsLFmt8UDOJN
 k8Q/6YYPAjkgM4Vr7jpgh0/0swi7fxGv86ivRt7dEKgzchHO8YPW7WVrN2Hu/MUD42PJ
 nmbiu0kyNcSKqypytszwCDKlA4U2+5q1xVJ688IdsCRTmM+2BNaW9WiKmnoZJT3l4G+h
 KgTMuzz15NmQ9/BQfXTMEgoiLfLX786bx/dnntwfGyNpwtGjPmdu2t0UQ2XyYhkPBQaS
 KycytAF4dP5LBsumNVscn1Ve8OnL4kZCQp+S1oyr1M296xOhF15dv1k3uecOZfdqKAuD
 nhgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1751033370; x=1751638170;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Cu1CCXVND/E0cLou5ZZNZMlxa3CKHGyoJSyrWayKLHU=;
 b=exb26K7WF8grno3ITqOK5W6ep5EIh+Z2hKauw6ObBP7I23MZGgsze3LpvaoqkAjQdo
 KcCuUNrZMnWxRx0YYg+e1bYi/sf1FpV3jMbW55D6d3ImA4xAJH5fpKs4HdKOOG5ykohQ
 cnHEkTzCZFB/9sphftBRbLyTaRTK6+DNyrT0hn9YVbzxbLVS3Y7HqFLw+FUh7BQGFJu7
 C/kUvlflocGR4ZZ/KCH9J+eeUzZUq33H1upEPvNDelQEcST5fZ7ACWlAFFQhS+jEnriU
 aaYN0eTrqyl6hCcCx+nCwXZPLkHaNLzWxvqkNNRurUlJTHrN8nu826Nl35kO2iC68vtK
 AeDw==
X-Gm-Message-State: AOJu0Yx/gsj6gA8TOo+WqS97H+d+lenrK47QIzD+7tlUdl3ULVOHNSpC
 a1Y1Lz9cnVmMxPxQfHU1olspJzrPIMCC5lyIwGZ8ICIiWO80qRtAjKfP0lWEGwvN7ByBZw==
X-Gm-Gg: ASbGncuZ7S/iOwGExLjoVIXFZTyRn5L0M6zsTUmesvi1KJykp+dv7f3Sw0Dtp7wb2hi
 u7fHg6zQrS+yaiQIpkH6zVZFDABjctpOAB3UodkoLIMd3ode9PbO8A2h6naKn1VfeR+mU6LHUwN
 I3ZFz6iAtJbnSvO5y4lmfRkz7A36x4DoSGvlyGThoij3cbvj+qVmKCM+G7KEhDPEWAgPXKvR//f
 hLnFSvHLlH38d6QyEMxcy4OVxTOwAFYdr5VZw4Q3qXUU5XF71nNjhbYUd+OsC7dd8fwH69JEZNv
 L424eYXYKfagbQ1wBfOaA2UfIU59H1n7eILySNceRiCkyh8bhL9ns0GP4cYOBjb7gW3M
X-Google-Smtp-Source: AGHT+IFl0+PJFLbOucj0Z2WOjl0rfCQmJkCkbm8lSu+icI1lMei9/2tRFPVAMZwfddUijt1PCh6OVg==
X-Received: by 2002:a17:903:1c6:b0:234:b41e:37a2 with SMTP id
 d9443c01a7336-23ac2d86627mr49205945ad.11.1751033369794; 
 Fri, 27 Jun 2025 07:09:29 -0700 (PDT)
Received: from r760 ([188.253.126.206]) by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-23acb3c1d3csm18007685ad.207.2025.06.27.07.09.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 27 Jun 2025 07:09:28 -0700 (PDT)
From: Lidong Yan <yldhome2d2-at-gmail.com@ffmpeg.org>
X-Google-Original-From: Lidong Yan <502024330056@smail.nju.edu.cn>
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 27 Jun 2025 22:09:15 +0800
Message-ID: <20250627140918.2832152-2-502024330056@smail.nju.edu.cn>
X-Mailer: git-send-email 2.50.0.108.g6ae0c543ae
In-Reply-To: <20250627140918.2832152-1-502024330056@smail.nju.edu.cn>
References: <20250627140918.2832152-1-502024330056@smail.nju.edu.cn>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in
 error paths
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Lidong Yan <502024330056@smail.nju.edu.cn>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250627140918.2832152-2-502024330056@smail.nju.edu.cn/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

In mov_write_iacb_tag(), avio_open_dyn_buf() allocates a buffer
but we forgot to free it when ff_iamf_write_descriptors() failed. Add
cleanup code and goto cleanup if error happened.

In mov_preroll_write_stbl_atoms(), av_malloc_array() allocates an
array and it leaks if packets distance > 32. Add av_free(sgpd_entries)
before return.

In mov_write_track_udta_tag(), avio_open_dyn_buf() allocates a buffer,
and this buffer leaks if mov_write_track_kinds() failed. Add cleanup
code and goto cleanup if error happened.

Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
 libavformat/movenc.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index a651d6d618..c9a55c1817 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -337,14 +337,18 @@ static int mov_write_iacb_tag(AVFormatContext *s, AVIOContext *pb, MOVTrack *tra
 
     ret = ff_iamf_write_descriptors(track->iamf, dyn_bc, s);
     if (ret < 0)
-        return ret;
+        goto cleanup;
 
     dyn_size = avio_close_dyn_buf(dyn_bc, &dyn_buf);
     ffio_write_leb(pb, dyn_size);
     avio_write(pb, dyn_buf, dyn_size);
-    av_free(dyn_buf);
+    ret = update_size(pb, pos);
 
-    return update_size(pb, pos);
+cleanup:
+    if (!dyn_buf)
+        avio_close_dyn_buf(dyn_bc, &dyn_buf);
+    av_free(dyn_buf);
+    return ret;
 }
 #endif
 
@@ -3173,8 +3177,10 @@ static int mov_preroll_write_stbl_atoms(AVIOContext *pb, MOVTrack *track)
             if (roll_samples_remaining > 0)
                 distance = 0;
             /* Verify distance is a maximum of 32 (2.5ms) packets. */
-            if (distance > 32)
+            if (distance > 32) {
+                av_free(sgpd_entries);
                 return AVERROR_INVALIDDATA;
+            }
             if (i && distance == sgpd_entries[entries].roll_distance) {
                 sgpd_entries[entries].count++;
             } else {
@@ -4186,7 +4192,7 @@ static int mov_write_track_udta_tag(AVIOContext *pb, MOVMuxContext *mov,
 
     if (mov->mode & MODE_MP4) {
         if ((ret = mov_write_track_kinds(pb_buf, st)) < 0)
-            return ret;
+            goto cleanup;
     }
 
     if ((size = avio_get_dyn_buf(pb_buf, &buf)) > 0) {
@@ -4194,9 +4200,11 @@ static int mov_write_track_udta_tag(AVIOContext *pb, MOVMuxContext *mov,
         ffio_wfourcc(pb, "udta");
         avio_write(pb, buf, size);
     }
-    ffio_free_dyn_buf(&pb_buf);
+    ret = 0;
 
-    return 0;
+cleanup:
+    ffio_free_dyn_buf(&pb_buf);
+    return ret;
 }
 
 static int mov_write_trak_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContext *mov,
-- 
2.50.0.108.g6ae0c543ae

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".