ref: 82d8807750ffc9ad5b864ac0605553a2211b297d
parent: 5e1ba6a2d50a232e07366b7337dbe2921bc2af26
author: Janne Grunau <janne-vlc@jannau.net>
date: Tue Oct 9 19:51:24 EDT 2018
fix input buffer ref leak on tile parse errors Seen with clusterfuzz-testcase-minimized-dav1d_fuzzer-5749222154960896, Credit to OSS-Fuzz.
--- a/src/obu.c
+++ b/src/obu.c
@@ -1039,13 +1039,24 @@
c->tile[c->n_tile_data].data.ref = in->ref;
c->tile[c->n_tile_data].data.data = in->data + off;
c->tile[c->n_tile_data].data.sz = len + init_off - off;
- if (c->tile[c->n_tile_data].start > c->tile[c->n_tile_data].end)
+ if (c->tile[c->n_tile_data].start > c->tile[c->n_tile_data].end) {+ for (int i = 0; i <= c->n_tile_data; i++)
+ dav1d_data_unref(&c->tile[i].data);
+ c->n_tile_data = 0;
+ c->tile_mask = 0;
goto error;
+ }
#define mask(a) ((1 << (a)) - 1)
const unsigned tile_mask = mask(c->tile[c->n_tile_data].end + 1) -
mask(c->tile[c->n_tile_data].start);
#undef mask
- if (tile_mask & c->tile_mask) goto error; // tile overlap
+ if (tile_mask & c->tile_mask) { // tile overlap+ for (int i = 0; i <= c->n_tile_data; i++)
+ dav1d_data_unref(&c->tile[i].data);
+ c->n_tile_data = 0;
+ c->tile_mask = 0;
+ goto error;
+ }
c->tile_mask |= tile_mask;
c->n_tile_data++;
break;