From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 69F564F197 for ; Sat, 17 May 2025 10:31:29 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 035E268D20C; Sat, 17 May 2025 13:31:26 +0300 (EEST) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 784CB68CDCE for ; Sat, 17 May 2025 13:31:19 +0300 (EEST) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-43ede096d73so20358015e9.2 for ; Sat, 17 May 2025 03:31:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20230601.gappssmtp.com; s=20230601; t=1747477879; x=1748082679; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:references:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=yFI6w5TeLzGe2bbZwoRFiGh2XjCCGrOl/vydnA//6QI=; b=wzfFDGrvb+Sem7lkT9zAp/bAokgK4p5wmXeZulEBM+FO78tsr8v1HJdsYaEEpdsM9Z HuBRWmkAAmrEvpjZgm0Y1kMnut012ISBWMh+bt5tYGpde9NwXYn0rP2vZK/blDrYtIMc Qi1iQ3Ub07eNUL6kGWNrUQkKpuniBbxvE1xLie6XN6Vlsgi+fk8Womtwt59mzUyz3NlV faMhOHCpysS1zKC8G/FWNzAX7Wjxr1vsuCqI0h3VQFfMuNm2RLqaemkUkjD8L94KgxXZ AJ4ezCRiHvUsCVaKv6elh7LK4C1qF1lU6mi6TnP87azpS66/IYz5UbrB9hRigW4qzm3y IjOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747477879; x=1748082679; h=content-transfer-encoding:in-reply-to:references:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yFI6w5TeLzGe2bbZwoRFiGh2XjCCGrOl/vydnA//6QI=; b=dm3TXJRyomvsFZ0pYhXHZIi8qYfOFVG/sAmbiiekHKQq/jt8q1q67VwLkp1FvU5qYn iE0Kk7Qj8xrDjx0fJp8h+DdDbuG4kkAnVn5/B5s0B9y7XHUnJezpm2+tA2LUhS1emK9Y Ph2vP6S+gjg4XU9F5HQ2TSBk/Fk0xgTgbpIXPQmypE0SxC3+ivCwfAKZOJHsMHSeTxQS 0G9foLNar0+WZxSNHgyWxdRRVwegK64uDIX3LvTJO/aWlbU5/jS75o7HcPSwCAq9MBnM kfLUMJNHaQzd8C12uiZay/7Z9NHk9yVfKwpn9GJuXBOFLz5JRu/RpM85WbWqYdQzLRLi VUGQ== X-Gm-Message-State: AOJu0YzH0IpdTruB7MTtbAraCH49UE1ec8VeIDjNA6mcmAQOmwKGiwIu wLrkXBox/ldTyg8N1NzDrhdFOr1chPK9GsxsUmqNMni6dir7n/CE956B3E89cKhipEcpmfcZ5O8 A4YJSmH44aQ== X-Gm-Gg: ASbGnctXttaV13qr4b4nglBmKhDKddA28HXM+8FdlXcwPoTHS0wuD7kSyAUwcYZPGbz T0uw/CLZrgVMupzP5hS61ToI7COUrL71q3x3gr7Fe2+sRihrfVU+9bI23qXfijLuo6ZYaK1PWvf kReSxF1VbcwCXh5NvdE2zRoJci9MzNH066uBvH9U7gm8Oa/KJsSh6W3Ov254zcS5L5yHutE+FdX PDmz7ycX7JpAGHQiC/33Qbk79USAjEXfGUYuc6ZUae4K7lBp4OTLh514GuK0+ho9LQVjLdDNkag jGM/dC77vEWBKeN1Ejz3nqvqWOQtehymPqweZncPv+uNkH4twA6ckfgzBAT8FxVpb421R4/NWNn If8ivoLfk1Pj550CXp6SFOt/G X-Google-Smtp-Source: AGHT+IEdSqqwG//5WLxEPQRtOkMKEOY3iHVRPhjgkwfN2OSBRz/0/tdjzlzzz9Ijpg7tZjDS971kcw== X-Received: by 2002:a5d:5f8d:0:b0:3a0:8492:e493 with SMTP id ffacd0b85a97d-3a35c834f91mr6704155f8f.6.1747477878264; Sat, 17 May 2025 03:31:18 -0700 (PDT) Received: from [192.168.0.15] (cpc92320-cmbg19-2-0-cust719.5-4.cable.virginm.net. [82.13.66.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a35ca5a7cbsm5870983f8f.35.2025.05.17.03.31.17 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 17 May 2025 03:31:17 -0700 (PDT) Message-ID: Date: Sat, 17 May 2025 11:31:12 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Mark Thompson To: ffmpeg-devel@ffmpeg.org References: <20250514205033.3177814-1-sw@jkqxz.net> In-Reply-To: <20250514205033.3177814-1-sw@jkqxz.net> Subject: Re: [FFmpeg-devel] [PATCH] cbs_apv: Fix memory leak on metadata parse failure X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 14/05/2025 21:50, Mark Thompson wrote: > Buffers are allocated inside some metadata types, so we must ensure > that the object is visible to the free function before a parse failure. > > Found by libFuzzer. > --- > libavcodec/cbs_apv_syntax_template.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/cbs_apv_syntax_template.c b/libavcodec/cbs_apv_syntax_template.c > index ca66349141..fc8a08ff31 100644 > --- a/libavcodec/cbs_apv_syntax_template.c > +++ b/libavcodec/cbs_apv_syntax_template.c > @@ -543,11 +543,11 @@ static int FUNC(metadata)(CodedBitstreamContext *ctx, RWContext *rw, > return AVERROR_INVALIDDATA; > } > > + current->metadata_count = p + 1; > + > CHECK(FUNC(metadata_payload)(ctx, rw, pl)); > > metadata_bytes_left -= pl->payload_size; > - > - current->metadata_count = p + 1; > if (metadata_bytes_left == 0) > break; > } Applied. Simple application of libFuzzer to the decoder hasn't found anything else, either. Thanks, - Mark _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".