[FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer

[FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer

[Lidong Yan]

Fix multiple leaks in error paths. Simply add av_free() in error path or
replace return AVERROR* with goto cleanup to prevent from leaks.

Lidong Yan (4):
  avformat/movenc: fix multiple leaks in error paths
  avcodec/vorbisenc: fix leak if av_mallocz failed
  avfilter/vf_lut3d: fix leak if allocate_3dlut failed
  avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated
    memory

 libavcodec/vorbisenc.c    |  4 +++-
 libavfilter/vf_lut3d.c    |  2 +-
 libavformat/iamf_writer.c | 47 +++++++++++++++++++++++++--------------
 libavformat/movenc.c      | 22 ++++++++++++------
 4 files changed, 49 insertions(+), 26 deletions(-)

-- 
2.50.0.108.g6ae0c543ae

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in error paths

[Lidong Yan]

In mov_write_iacb_tag(), avio_open_dyn_buf() allocates a buffer
but we forgot to free it when ff_iamf_write_descriptors() failed. Add
cleanup code and goto cleanup if error happened.

In mov_preroll_write_stbl_atoms(), av_malloc_array() allocates an
array and it leaks if packets distance > 32. Add av_free(sgpd_entries)
before return.

In mov_write_track_udta_tag(), avio_open_dyn_buf() allocates a buffer,
and this buffer leaks if mov_write_track_kinds() failed. Add cleanup
code and goto cleanup if error happened.

Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
 libavformat/movenc.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index a651d6d618..c9a55c1817 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -337,14 +337,18 @@ static int mov_write_iacb_tag(AVFormatContext *s, AVIOContext *pb, MOVTrack *tra
 
     ret = ff_iamf_write_descriptors(track->iamf, dyn_bc, s);
     if (ret < 0)
-        return ret;
+        goto cleanup;
 
     dyn_size = avio_close_dyn_buf(dyn_bc, &dyn_buf);
     ffio_write_leb(pb, dyn_size);
     avio_write(pb, dyn_buf, dyn_size);
-    av_free(dyn_buf);
+    ret = update_size(pb, pos);
 
-    return update_size(pb, pos);
+cleanup:
+    if (!dyn_buf)
+        avio_close_dyn_buf(dyn_bc, &dyn_buf);
+    av_free(dyn_buf);
+    return ret;
 }
 #endif
 
@@ -3173,8 +3177,10 @@ static int mov_preroll_write_stbl_atoms(AVIOContext *pb, MOVTrack *track)
             if (roll_samples_remaining > 0)
                 distance = 0;
             /* Verify distance is a maximum of 32 (2.5ms) packets. */
-            if (distance > 32)
+            if (distance > 32) {
+                av_free(sgpd_entries);
                 return AVERROR_INVALIDDATA;
+            }
             if (i && distance == sgpd_entries[entries].roll_distance) {
                 sgpd_entries[entries].count++;
             } else {
@@ -4186,7 +4192,7 @@ static int mov_write_track_udta_tag(AVIOContext *pb, MOVMuxContext *mov,
 
     if (mov->mode & MODE_MP4) {
         if ((ret = mov_write_track_kinds(pb_buf, st)) < 0)
-            return ret;
+            goto cleanup;
     }
 
     if ((size = avio_get_dyn_buf(pb_buf, &buf)) > 0) {
@@ -4194,9 +4200,11 @@ static int mov_write_track_udta_tag(AVIOContext *pb, MOVMuxContext *mov,
         ffio_wfourcc(pb, "udta");
         avio_write(pb, buf, size);
     }
-    ffio_free_dyn_buf(&pb_buf);
+    ret = 0;
 
-    return 0;
+cleanup:
+    ffio_free_dyn_buf(&pb_buf);
+    return ret;
 }
 
 static int mov_write_trak_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContext *mov,
-- 
2.50.0.108.g6ae0c543ae

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/4] avcodec/vorbisenc: fix leak if av_mallocz failed

[Lidong Yan]

In put_main_header(), av_mallocz() allocates memory to local variable
buffer, buffer leaks if av_mallocz() to *out failed. Add av_free(buffer)
before return error code.

Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
 libavcodec/vorbisenc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c
index 99ac72c910..b4680a11ed 100644
--- a/libavcodec/vorbisenc.c
+++ b/libavcodec/vorbisenc.c
@@ -740,8 +740,10 @@ static int put_main_header(vorbis_enc_context *venc, uint8_t **out)
 
     len = hlens[0] + hlens[1] + hlens[2];
     p = *out = av_mallocz(64 + len + len/255);
-    if (!p)
+    if (!p) {
+        av_freep(&buffer);
         return AVERROR(ENOMEM);
+    }
 
     *p++ = 2;
     p += av_xiphlacing(p, hlens[0]);
-- 
2.50.0.108.g6ae0c543ae

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/4] avfilter/vf_lut3d: fix leak if allocate_3dlut failed

[Lidong Yan]

In parse_cinespace(), memory allocated in in_prelut[] and out_prelut[]
would leak if allocate_3dlut() failed. Replace return ret with goto end
to free memory before return error code.

Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
 libavfilter/vf_lut3d.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c
index 5f6bfc65b3..46afe36f6c 100644
--- a/libavfilter/vf_lut3d.c
+++ b/libavfilter/vf_lut3d.c
@@ -1006,7 +1006,7 @@ static int parse_cinespace(AVFilterContext *ctx, FILE *f)
 
             ret = allocate_3dlut(ctx, size, prelut);
             if (ret < 0)
-                return ret;
+                goto end;
 
             for (int k = 0; k < size; k++) {
                 for (int j = 0; j < size; j++) {
-- 
2.50.0.108.g6ae0c543ae

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated memory

[Lidong Yan]

In iamf_write_codec_config(), if codec_id equals to AV_CODEC_ID_AAC,
avio_open_dyn_buf() allocated memory would leak. Add ffio_free_dyn_buf()
to free dyn_bc before return.

In iamf_write_audio_element(), multiple places returns without free
dyn_bc, replace return AVERROR* with goto cleanup and add cleanup code
to free dyn_bc. Do the same thing for iamf_write_audio_element() and
write_parameter_block().

Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
 libavformat/iamf_writer.c | 47 +++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 17 deletions(-)

diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c
index f88987790d..2e8df602b1 100644
--- a/libavformat/iamf_writer.c
+++ b/libavformat/iamf_writer.c
@@ -523,6 +523,7 @@ static int iamf_write_codec_config(const IAMFContext *iamf,
         avio_write(dyn_bc, codec_config->extradata, codec_config->extradata_size);
         break;
     case AV_CODEC_ID_AAC:
+        ffio_free_dyn_buf(&dyn_bc);
         return AVERROR_PATCHWELCOME;
     case AV_CODEC_ID_FLAC:
         avio_w8(dyn_bc, 0x80);
@@ -774,7 +775,8 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
                 if (layout == 3 || layout == 4 || layout == 6 || layout == 7) {
                     av_log(log_ctx, AV_LOG_ERROR, "demixing_info needed but not set in Stream Group #%u\n",
                            audio_element->audio_element_id);
-                    return AVERROR(EINVAL);
+                    ret = AVERROR(EINVAL);
+                    goto cleanup;
                 }
             }
             param_definition_types &= ~AV_IAMF_PARAMETER_DEFINITION_DEMIXING;
@@ -794,7 +796,7 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
         param_def = ff_iamf_get_param_definition(iamf, param->parameter_id);
         ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
         if (ret < 0)
-            return ret;
+            goto cleanup;
 
         avio_w8(dyn_bc, demix->dmixp_mode << 5); // dmixp_mode
         avio_w8(dyn_bc, element->default_w << 4); // default_w
@@ -806,24 +808,25 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
         if (!param) {
             av_log(log_ctx, AV_LOG_ERROR, "recon_gain_info needed but not set in Stream Group #%u\n",
                    audio_element->audio_element_id);
-            return AVERROR(EINVAL);
+            ret = AVERROR(EINVAL);
+            goto cleanup;
         }
         ffio_write_leb(dyn_bc, AV_IAMF_PARAMETER_DEFINITION_RECON_GAIN); // type
 
         param_def = ff_iamf_get_param_definition(iamf, param->parameter_id);
         ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
         if (ret < 0)
-            return ret;
+            goto cleanup;
     }
 
     if (element->audio_element_type == AV_IAMF_AUDIO_ELEMENT_TYPE_CHANNEL) {
         ret = scalable_channel_layout_config(audio_element, dyn_bc);
         if (ret < 0)
-            return ret;
+            goto cleanup;
     } else {
         ret = ambisonics_config(audio_element, dyn_bc);
         if (ret < 0)
-            return ret;
+            goto cleanup;
     }
 
     init_put_bits(&pbc, header, sizeof(header));
@@ -835,9 +838,11 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
     avio_write(pb, header, put_bytes_count(&pbc, 1));
     ffio_write_leb(pb, dyn_size);
     avio_write(pb, dyn_buf, dyn_size);
-    ffio_free_dyn_buf(&dyn_bc);
+    ret = 0;
 
-    return 0;
+cleanup:
+    ffio_free_dyn_buf(&dyn_bc);
+    return ret;
 }
 
 static int iamf_write_mixing_presentation(const IAMFContext *iamf,
@@ -886,7 +891,8 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
             if (av_dict_count(submix_element->annotations) != av_dict_count(mix->annotations)) {
                 av_log(log_ctx, AV_LOG_ERROR, "Inconsistent amount of labels in submix %d from Mix Presentation id #%u\n",
                        j, audio_element->audio_element_id);
-                return AVERROR(EINVAL);
+                ret = AVERROR(EINVAL);
+                goto cleanup;
             }
             while ((tag = av_dict_iterate(submix_element->annotations, tag)))
                 avio_put_str(dyn_bc, tag->value);
@@ -901,7 +907,7 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
             param_def = ff_iamf_get_param_definition(iamf, submix_element->element_mix_config->parameter_id);
             ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
             if (ret < 0)
-                return ret;
+                goto cleanup;
 
             avio_wb16(dyn_bc, rescale_rational(submix_element->default_mix_gain, 1 << 8));
         }
@@ -909,7 +915,7 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
         param_def = ff_iamf_get_param_definition(iamf, sub_mix->output_mix_config->parameter_id);
         ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
         if (ret < 0)
-            return ret;
+            goto cleanup;
         avio_wb16(dyn_bc, rescale_rational(sub_mix->default_mix_gain, 1 << 8));
 
         ffio_write_leb(dyn_bc, sub_mix->nb_layouts); // nb_layouts
@@ -928,11 +934,13 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
                 }
                 if (layout == FF_ARRAY_ELEMS(ff_iamf_sound_system_map)) {
                     av_log(log_ctx, AV_LOG_ERROR, "Invalid Sound System value in a submix\n");
-                    return AVERROR(EINVAL);
+                    ret = AVERROR(EINVAL);
+                    goto cleanup;
                 }
             } else if (submix_layout->layout_type != AV_IAMF_SUBMIX_LAYOUT_TYPE_BINAURAL) {
                 av_log(log_ctx, AV_LOG_ERROR, "Unsupported Layout Type value in a submix\n");
-                return AVERROR(EINVAL);
+                ret = AVERROR(EINVAL);
+                goto cleanup;
             }
             init_put_bits(&pbc, header, sizeof(header));
             put_bits(&pbc, 2, submix_layout->layout_type); // layout_type
@@ -974,9 +982,11 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
     avio_write(pb, header, put_bytes_count(&pbc, 1));
     ffio_write_leb(pb, dyn_size);
     avio_write(pb, dyn_buf, dyn_size);
-    ffio_free_dyn_buf(&dyn_bc);
+    ret = 0;
 
-    return 0;
+cleanup:
+    ffio_free_dyn_buf(&dyn_bc);
+    return ret;
 }
 
 int ff_iamf_write_descriptors(const IAMFContext *iamf, AVIOContext *pb, void *log_ctx)
@@ -1098,7 +1108,8 @@ static int write_parameter_block(const IAMFContext *iamf, AVIOContext *pb,
 
             if (!audio_element) {
                 av_log(log_ctx, AV_LOG_ERROR, "Invalid Parameter Definition with ID %u referenced by a packet\n", param->parameter_id);
-                return AVERROR(EINVAL);
+                ret = AVERROR(EINVAL);
+                goto cleanup;
             }
 
             for (int j = 0; j < audio_element->nb_layers; j++) {
@@ -1132,8 +1143,10 @@ static int write_parameter_block(const IAMFContext *iamf, AVIOContext *pb,
     dyn_size = avio_get_dyn_buf(dyn_bc, &dyn_buf);
     ffio_write_leb(pb, dyn_size);
     avio_write(pb, dyn_buf, dyn_size);
-    ffio_free_dyn_buf(&dyn_bc);
+    ret = 0;
 
+cleanup:
+    ffio_free_dyn_buf(&dyn_bc);
     return 0;
 }
 
-- 
2.50.0.108.g6ae0c543ae

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".