[FFmpeg-devel] [PATCH 09/20] avcodec/vorbisenc: Don't free uninitialized pointers

Thu, 06 May 2021 23:48:23 -0700 

The Vorbis encoder allocates several arrays destined to contain pointers
to separately allocated arrays; yet these arrays are allocated without
initializing them: They are only uninitialized until their final values
are stored in them; so if allocating one of the earlier subarrays fails,
all of the remaining pointers to subarrays are still uninitialized.
But their are used for freeing, resulting in crashes.

Fix this by zero-initializing the arrays with subarrays.

Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@outlook.com>
---
 libavcodec/vorbisenc.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c
index 1f7e9b3c91..dc54919f64 100644
--- a/libavcodec/vorbisenc.c
+++ b/libavcodec/vorbisenc.c
@@ -279,7 +279,7 @@ static int create_vorbis_context(vorbis_enc_context *venc,
     venc->log2_blocksize[0] = venc->log2_blocksize[1] = 11;
 
     venc->ncodebooks = FF_ARRAY_ELEMS(cvectors);
-    venc->codebooks  = av_malloc(sizeof(vorbis_enc_codebook) * 
venc->ncodebooks);
+    venc->codebooks  = av_mallocz(sizeof(vorbis_enc_codebook) * 
venc->ncodebooks);
     if (!venc->codebooks)
         return AVERROR(ENOMEM);
 
@@ -318,7 +318,7 @@ static int create_vorbis_context(vorbis_enc_context *venc,
     }
 
     venc->nfloors = 1;
-    venc->floors  = av_malloc(sizeof(vorbis_enc_floor) * venc->nfloors);
+    venc->floors  = av_mallocz(sizeof(vorbis_enc_floor) * venc->nfloors);
     if (!venc->floors)
         return AVERROR(ENOMEM);
 
@@ -335,7 +335,7 @@ static int create_vorbis_context(vorbis_enc_context *venc,
         fc->nclasses = FFMAX(fc->nclasses, fc->partition_to_class[i]);
     }
     fc->nclasses++;
-    fc->classes = av_malloc_array(fc->nclasses, 
sizeof(vorbis_enc_floor_class));
+    fc->classes = av_calloc(fc->nclasses, sizeof(vorbis_enc_floor_class));
     if (!fc->classes)
         return AVERROR(ENOMEM);
     for (i = 0; i < fc->nclasses; i++) {
@@ -375,7 +375,7 @@ static int create_vorbis_context(vorbis_enc_context *venc,
         return AVERROR_BUG;
 
     venc->nresidues = 1;
-    venc->residues  = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues);
+    venc->residues  = av_mallocz(sizeof(vorbis_enc_residue) * venc->nresidues);
     if (!venc->residues)
         return AVERROR(ENOMEM);
 
@@ -409,7 +409,7 @@ static int create_vorbis_context(vorbis_enc_context *venc,
         return ret;
 
     venc->nmappings = 1;
-    venc->mappings  = av_malloc(sizeof(vorbis_enc_mapping) * venc->nmappings);
+    venc->mappings  = av_mallocz(sizeof(vorbis_enc_mapping) * venc->nmappings);
     if (!venc->mappings)
         return AVERROR(ENOMEM);
 
-- 
2.27.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to