* [FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer
@ 2025-06-27 14:09 Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in error paths Lidong Yan
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Lidong Yan @ 2025-06-27 14:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lidong Yan
Fix multiple leaks in error paths. Simply add av_free() in error path or
replace return AVERROR* with goto cleanup to prevent from leaks.
Lidong Yan (4):
avformat/movenc: fix multiple leaks in error paths
avcodec/vorbisenc: fix leak if av_mallocz failed
avfilter/vf_lut3d: fix leak if allocate_3dlut failed
avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated
memory
libavcodec/vorbisenc.c | 4 +++-
libavfilter/vf_lut3d.c | 2 +-
libavformat/iamf_writer.c | 47 +++++++++++++++++++++++++--------------
libavformat/movenc.c | 22 ++++++++++++------
4 files changed, 49 insertions(+), 26 deletions(-)
--
2.50.0.108.g6ae0c543ae
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in error paths
2025-06-27 14:09 [FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer Lidong Yan
@ 2025-06-27 14:09 ` Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vorbisenc: fix leak if av_mallocz failed Lidong Yan
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Lidong Yan @ 2025-06-27 14:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lidong Yan
In mov_write_iacb_tag(), avio_open_dyn_buf() allocates a buffer
but we forgot to free it when ff_iamf_write_descriptors() failed. Add
cleanup code and goto cleanup if error happened.
In mov_preroll_write_stbl_atoms(), av_malloc_array() allocates an
array and it leaks if packets distance > 32. Add av_free(sgpd_entries)
before return.
In mov_write_track_udta_tag(), avio_open_dyn_buf() allocates a buffer,
and this buffer leaks if mov_write_track_kinds() failed. Add cleanup
code and goto cleanup if error happened.
Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
libavformat/movenc.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index a651d6d618..c9a55c1817 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -337,14 +337,18 @@ static int mov_write_iacb_tag(AVFormatContext *s, AVIOContext *pb, MOVTrack *tra
ret = ff_iamf_write_descriptors(track->iamf, dyn_bc, s);
if (ret < 0)
- return ret;
+ goto cleanup;
dyn_size = avio_close_dyn_buf(dyn_bc, &dyn_buf);
ffio_write_leb(pb, dyn_size);
avio_write(pb, dyn_buf, dyn_size);
- av_free(dyn_buf);
+ ret = update_size(pb, pos);
- return update_size(pb, pos);
+cleanup:
+ if (!dyn_buf)
+ avio_close_dyn_buf(dyn_bc, &dyn_buf);
+ av_free(dyn_buf);
+ return ret;
}
#endif
@@ -3173,8 +3177,10 @@ static int mov_preroll_write_stbl_atoms(AVIOContext *pb, MOVTrack *track)
if (roll_samples_remaining > 0)
distance = 0;
/* Verify distance is a maximum of 32 (2.5ms) packets. */
- if (distance > 32)
+ if (distance > 32) {
+ av_free(sgpd_entries);
return AVERROR_INVALIDDATA;
+ }
if (i && distance == sgpd_entries[entries].roll_distance) {
sgpd_entries[entries].count++;
} else {
@@ -4186,7 +4192,7 @@ static int mov_write_track_udta_tag(AVIOContext *pb, MOVMuxContext *mov,
if (mov->mode & MODE_MP4) {
if ((ret = mov_write_track_kinds(pb_buf, st)) < 0)
- return ret;
+ goto cleanup;
}
if ((size = avio_get_dyn_buf(pb_buf, &buf)) > 0) {
@@ -4194,9 +4200,11 @@ static int mov_write_track_udta_tag(AVIOContext *pb, MOVMuxContext *mov,
ffio_wfourcc(pb, "udta");
avio_write(pb, buf, size);
}
- ffio_free_dyn_buf(&pb_buf);
+ ret = 0;
- return 0;
+cleanup:
+ ffio_free_dyn_buf(&pb_buf);
+ return ret;
}
static int mov_write_trak_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContext *mov,
--
2.50.0.108.g6ae0c543ae
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avcodec/vorbisenc: fix leak if av_mallocz failed
2025-06-27 14:09 [FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in error paths Lidong Yan
@ 2025-06-27 14:09 ` Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 3/4] avfilter/vf_lut3d: fix leak if allocate_3dlut failed Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 4/4] avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated memory Lidong Yan
3 siblings, 0 replies; 5+ messages in thread
From: Lidong Yan @ 2025-06-27 14:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lidong Yan
In put_main_header(), av_mallocz() allocates memory to local variable
buffer, buffer leaks if av_mallocz() to *out failed. Add av_free(buffer)
before return error code.
Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
libavcodec/vorbisenc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c
index 99ac72c910..b4680a11ed 100644
--- a/libavcodec/vorbisenc.c
+++ b/libavcodec/vorbisenc.c
@@ -740,8 +740,10 @@ static int put_main_header(vorbis_enc_context *venc, uint8_t **out)
len = hlens[0] + hlens[1] + hlens[2];
p = *out = av_mallocz(64 + len + len/255);
- if (!p)
+ if (!p) {
+ av_freep(&buffer);
return AVERROR(ENOMEM);
+ }
*p++ = 2;
p += av_xiphlacing(p, hlens[0]);
--
2.50.0.108.g6ae0c543ae
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avfilter/vf_lut3d: fix leak if allocate_3dlut failed
2025-06-27 14:09 [FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in error paths Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vorbisenc: fix leak if av_mallocz failed Lidong Yan
@ 2025-06-27 14:09 ` Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 4/4] avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated memory Lidong Yan
3 siblings, 0 replies; 5+ messages in thread
From: Lidong Yan @ 2025-06-27 14:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lidong Yan
In parse_cinespace(), memory allocated in in_prelut[] and out_prelut[]
would leak if allocate_3dlut() failed. Replace return ret with goto end
to free memory before return error code.
Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
libavfilter/vf_lut3d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c
index 5f6bfc65b3..46afe36f6c 100644
--- a/libavfilter/vf_lut3d.c
+++ b/libavfilter/vf_lut3d.c
@@ -1006,7 +1006,7 @@ static int parse_cinespace(AVFilterContext *ctx, FILE *f)
ret = allocate_3dlut(ctx, size, prelut);
if (ret < 0)
- return ret;
+ goto end;
for (int k = 0; k < size; k++) {
for (int j = 0; j < size; j++) {
--
2.50.0.108.g6ae0c543ae
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated memory
2025-06-27 14:09 [FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer Lidong Yan
` (2 preceding siblings ...)
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 3/4] avfilter/vf_lut3d: fix leak if allocate_3dlut failed Lidong Yan
@ 2025-06-27 14:09 ` Lidong Yan
3 siblings, 0 replies; 5+ messages in thread
From: Lidong Yan @ 2025-06-27 14:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lidong Yan
In iamf_write_codec_config(), if codec_id equals to AV_CODEC_ID_AAC,
avio_open_dyn_buf() allocated memory would leak. Add ffio_free_dyn_buf()
to free dyn_bc before return.
In iamf_write_audio_element(), multiple places returns without free
dyn_bc, replace return AVERROR* with goto cleanup and add cleanup code
to free dyn_bc. Do the same thing for iamf_write_audio_element() and
write_parameter_block().
Signed-off-by: Lidong Yan <502024330056@smail.nju.edu.cn>
---
libavformat/iamf_writer.c | 47 +++++++++++++++++++++++++--------------
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/libavformat/iamf_writer.c b/libavformat/iamf_writer.c
index f88987790d..2e8df602b1 100644
--- a/libavformat/iamf_writer.c
+++ b/libavformat/iamf_writer.c
@@ -523,6 +523,7 @@ static int iamf_write_codec_config(const IAMFContext *iamf,
avio_write(dyn_bc, codec_config->extradata, codec_config->extradata_size);
break;
case AV_CODEC_ID_AAC:
+ ffio_free_dyn_buf(&dyn_bc);
return AVERROR_PATCHWELCOME;
case AV_CODEC_ID_FLAC:
avio_w8(dyn_bc, 0x80);
@@ -774,7 +775,8 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
if (layout == 3 || layout == 4 || layout == 6 || layout == 7) {
av_log(log_ctx, AV_LOG_ERROR, "demixing_info needed but not set in Stream Group #%u\n",
audio_element->audio_element_id);
- return AVERROR(EINVAL);
+ ret = AVERROR(EINVAL);
+ goto cleanup;
}
}
param_definition_types &= ~AV_IAMF_PARAMETER_DEFINITION_DEMIXING;
@@ -794,7 +796,7 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
param_def = ff_iamf_get_param_definition(iamf, param->parameter_id);
ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
if (ret < 0)
- return ret;
+ goto cleanup;
avio_w8(dyn_bc, demix->dmixp_mode << 5); // dmixp_mode
avio_w8(dyn_bc, element->default_w << 4); // default_w
@@ -806,24 +808,25 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
if (!param) {
av_log(log_ctx, AV_LOG_ERROR, "recon_gain_info needed but not set in Stream Group #%u\n",
audio_element->audio_element_id);
- return AVERROR(EINVAL);
+ ret = AVERROR(EINVAL);
+ goto cleanup;
}
ffio_write_leb(dyn_bc, AV_IAMF_PARAMETER_DEFINITION_RECON_GAIN); // type
param_def = ff_iamf_get_param_definition(iamf, param->parameter_id);
ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
if (ret < 0)
- return ret;
+ goto cleanup;
}
if (element->audio_element_type == AV_IAMF_AUDIO_ELEMENT_TYPE_CHANNEL) {
ret = scalable_channel_layout_config(audio_element, dyn_bc);
if (ret < 0)
- return ret;
+ goto cleanup;
} else {
ret = ambisonics_config(audio_element, dyn_bc);
if (ret < 0)
- return ret;
+ goto cleanup;
}
init_put_bits(&pbc, header, sizeof(header));
@@ -835,9 +838,11 @@ static int iamf_write_audio_element(const IAMFContext *iamf,
avio_write(pb, header, put_bytes_count(&pbc, 1));
ffio_write_leb(pb, dyn_size);
avio_write(pb, dyn_buf, dyn_size);
- ffio_free_dyn_buf(&dyn_bc);
+ ret = 0;
- return 0;
+cleanup:
+ ffio_free_dyn_buf(&dyn_bc);
+ return ret;
}
static int iamf_write_mixing_presentation(const IAMFContext *iamf,
@@ -886,7 +891,8 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
if (av_dict_count(submix_element->annotations) != av_dict_count(mix->annotations)) {
av_log(log_ctx, AV_LOG_ERROR, "Inconsistent amount of labels in submix %d from Mix Presentation id #%u\n",
j, audio_element->audio_element_id);
- return AVERROR(EINVAL);
+ ret = AVERROR(EINVAL);
+ goto cleanup;
}
while ((tag = av_dict_iterate(submix_element->annotations, tag)))
avio_put_str(dyn_bc, tag->value);
@@ -901,7 +907,7 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
param_def = ff_iamf_get_param_definition(iamf, submix_element->element_mix_config->parameter_id);
ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
if (ret < 0)
- return ret;
+ goto cleanup;
avio_wb16(dyn_bc, rescale_rational(submix_element->default_mix_gain, 1 << 8));
}
@@ -909,7 +915,7 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
param_def = ff_iamf_get_param_definition(iamf, sub_mix->output_mix_config->parameter_id);
ret = param_definition(iamf, param_def, dyn_bc, log_ctx);
if (ret < 0)
- return ret;
+ goto cleanup;
avio_wb16(dyn_bc, rescale_rational(sub_mix->default_mix_gain, 1 << 8));
ffio_write_leb(dyn_bc, sub_mix->nb_layouts); // nb_layouts
@@ -928,11 +934,13 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
}
if (layout == FF_ARRAY_ELEMS(ff_iamf_sound_system_map)) {
av_log(log_ctx, AV_LOG_ERROR, "Invalid Sound System value in a submix\n");
- return AVERROR(EINVAL);
+ ret = AVERROR(EINVAL);
+ goto cleanup;
}
} else if (submix_layout->layout_type != AV_IAMF_SUBMIX_LAYOUT_TYPE_BINAURAL) {
av_log(log_ctx, AV_LOG_ERROR, "Unsupported Layout Type value in a submix\n");
- return AVERROR(EINVAL);
+ ret = AVERROR(EINVAL);
+ goto cleanup;
}
init_put_bits(&pbc, header, sizeof(header));
put_bits(&pbc, 2, submix_layout->layout_type); // layout_type
@@ -974,9 +982,11 @@ static int iamf_write_mixing_presentation(const IAMFContext *iamf,
avio_write(pb, header, put_bytes_count(&pbc, 1));
ffio_write_leb(pb, dyn_size);
avio_write(pb, dyn_buf, dyn_size);
- ffio_free_dyn_buf(&dyn_bc);
+ ret = 0;
- return 0;
+cleanup:
+ ffio_free_dyn_buf(&dyn_bc);
+ return ret;
}
int ff_iamf_write_descriptors(const IAMFContext *iamf, AVIOContext *pb, void *log_ctx)
@@ -1098,7 +1108,8 @@ static int write_parameter_block(const IAMFContext *iamf, AVIOContext *pb,
if (!audio_element) {
av_log(log_ctx, AV_LOG_ERROR, "Invalid Parameter Definition with ID %u referenced by a packet\n", param->parameter_id);
- return AVERROR(EINVAL);
+ ret = AVERROR(EINVAL);
+ goto cleanup;
}
for (int j = 0; j < audio_element->nb_layers; j++) {
@@ -1132,8 +1143,10 @@ static int write_parameter_block(const IAMFContext *iamf, AVIOContext *pb,
dyn_size = avio_get_dyn_buf(dyn_bc, &dyn_buf);
ffio_write_leb(pb, dyn_size);
avio_write(pb, dyn_buf, dyn_size);
- ffio_free_dyn_buf(&dyn_bc);
+ ret = 0;
+cleanup:
+ ffio_free_dyn_buf(&dyn_bc);
return 0;
}
--
2.50.0.108.g6ae0c543ae
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-06-27 14:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-27 14:09 [FFmpeg-devel] [PATCH 0/4] fix leaks in movenc, vorbisenc, lut3d and iamf_writer Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 1/4] avformat/movenc: fix multiple leaks in error paths Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vorbisenc: fix leak if av_mallocz failed Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 3/4] avfilter/vf_lut3d: fix leak if allocate_3dlut failed Lidong Yan
2025-06-27 14:09 ` [FFmpeg-devel] [PATCH 4/4] avformat/iamf_writer: fix leaks of avio_open_dyn_buf() allocated memory Lidong Yan
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git