jpeg2000: fix dereferencing invalid pointers during cleanup

CC: libav-stable@libav.org Found-by: Laurent Butti <laurentb@gmail.com> Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>

jpeg2000: fix dereferencing invalid pointers during cleanup
CC: libav-stable@libav.org Found-by: Laurent Butti <laurentb@gmail.com> Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
10306e9c · Vittorio Giovara · ab72eda1 · 10306e9c
Commit 10306e9c authored Mar 09, 2014 by Vittorio Giovara
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 8 deletions

jpeg2000.c libavcodec/jpeg2000.c +23 -8

No files found.
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -229,7 +229,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
        if (!comp->i_data)
            return AVERROR(ENOMEM);
    }
-    comp->reslevel = av_malloc_array(codsty->nreslevels, sizeof(*comp->reslevel));
+    comp->reslevel = av_mallocz_array(codsty->nreslevels, sizeof(*comp->reslevel));
    if (!comp->reslevel)
        return AVERROR(ENOMEM);
    /* LOOP on resolution levels */
@@ -277,7 +277,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
                                        reslevel->log2_prec_height) -
                (reslevel->coord[1][0] >> reslevel->log2_prec_height);
-        reslevel->band = av_malloc_array(reslevel->nbands, sizeof(*reslevel->band));
+        reslevel->band = av_mallocz_array(reslevel->nbands, sizeof(*reslevel->band));
        if (!reslevel->band)
            return AVERROR(ENOMEM);
@@ -373,9 +373,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
            for (j = 0; j < 2; j++)
                band->coord[1][j] = ff_jpeg2000_ceildiv(band->coord[1][j], dy);
-            band->prec = av_malloc_array(reslevel->num_precincts_x *
+            band->prec = av_mallocz_array(reslevel->num_precincts_x *
-                                         reslevel->num_precincts_y,
+                                          reslevel->num_precincts_y,
-                                         sizeof(*band->prec));
+                                          sizeof(*band->prec));
            if (!band->prec)
                return AVERROR(ENOMEM);
@@ -488,15 +488,30 @@ void ff_jpeg2000_cleanup(Jpeg2000Component *comp, Jpeg2000CodingStyle *codsty)
    for (reslevelno = 0;
         comp->reslevel && reslevelno < codsty->nreslevels;
         reslevelno++) {
-        Jpeg2000ResLevel *reslevel = comp->reslevel + reslevelno;
+        Jpeg2000ResLevel *reslevel;
+        if (!comp->reslevel)
+            continue;
+        reslevel = comp->reslevel + reslevelno;
        for (bandno = 0; bandno < reslevel->nbands; bandno++) {
-            Jpeg2000Band *band = reslevel->band + bandno;
+            Jpeg2000Band *band;
+            if (!reslevel->band)
+                continue;
+            band = reslevel->band + bandno;
            for (precno = 0; precno < reslevel->num_precincts_x * reslevel->num_precincts_y; precno++) {
-                Jpeg2000Prec *prec = band->prec + precno;
+                Jpeg2000Prec *prec;
+                if (!band->prec)
+                    continue;
+                prec = band->prec + precno;
                av_freep(&prec->zerobits);
                av_freep(&prec->cblkincl);
                av_freep(&prec->cblk);
            }
            av_freep(&band->prec);