From 885ecc7c667eac3521d4558b2be554d96c95da41 Mon Sep 17 00:00:00 2001 From: James Zern Date: Fri, 23 Jun 2023 19:27:26 -0700 Subject: [PATCH] vp9_dx_iface: fix leaks on init_decoder() failure If any allocations fail in init_decoder() and the application continues to call vpx_codec_decode() some of the allocations would be orphaned or the decoder would be left in a partially initialized state. Found with vpx_dec_fuzzer_vp9 & Nallocfuzz (https://github.com/catenacyber/nallocfuzz). Bug: webm:1807 Change-Id: I44f662526d715ecaeac6180070af40672cd42611 --- vp9/vp9_dx_iface.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c index 20e71cc..a242c77 100644 --- a/vp9/vp9_dx_iface.c +++ b/vp9/vp9_dx_iface.c @@ -256,6 +256,7 @@ static void set_ppflags(const vpx_codec_alg_priv_t *ctx, vp9_ppflags_t *flags) { } while (0) static vpx_codec_err_t init_decoder(vpx_codec_alg_priv_t *ctx) { + vpx_codec_err_t res; ctx->last_show_frame = -1; ctx->need_resync = 1; ctx->flushed = 0; @@ -265,6 +266,8 @@ static vpx_codec_err_t init_decoder(vpx_codec_alg_priv_t *ctx) { ctx->pbi = vp9_decoder_create(ctx->buffer_pool); if (ctx->pbi == NULL) { + vpx_free(ctx->buffer_pool); + ctx->buffer_pool = NULL; set_error_detail(ctx, "Failed to allocate decoder"); return VPX_CODEC_MEM_ERROR; } @@ -282,7 +285,14 @@ static vpx_codec_err_t init_decoder(vpx_codec_alg_priv_t *ctx) { if (!ctx->postproc_cfg_set && (ctx->base.init_flags & VPX_CODEC_USE_POSTPROC)) set_default_ppflags(&ctx->postproc_cfg); - return init_buffer_callbacks(ctx); + res = init_buffer_callbacks(ctx); + if (res != VPX_CODEC_OK) { + vpx_free(ctx->buffer_pool); + ctx->buffer_pool = NULL; + vp9_decoder_remove(ctx->pbi); + ctx->pbi = NULL; + } + return res; } static INLINE void check_resync(vpx_codec_alg_priv_t *const ctx, -- 2.7.4