shithub: dav1d

Download patch

ref: 82d8807750ffc9ad5b864ac0605553a2211b297d
parent: 5e1ba6a2d50a232e07366b7337dbe2921bc2af26
author: Janne Grunau <[email protected]>
date: Tue Oct 9 19:51:24 EDT 2018

fix input buffer ref leak on tile parse errors

Seen with clusterfuzz-testcase-minimized-dav1d_fuzzer-5749222154960896,
Credit to OSS-Fuzz.

--- a/src/obu.c
+++ b/src/obu.c
@@ -1039,13 +1039,24 @@
         c->tile[c->n_tile_data].data.ref = in->ref;
         c->tile[c->n_tile_data].data.data = in->data + off;
         c->tile[c->n_tile_data].data.sz = len + init_off - off;
-        if (c->tile[c->n_tile_data].start > c->tile[c->n_tile_data].end)
+        if (c->tile[c->n_tile_data].start > c->tile[c->n_tile_data].end) {
+            for (int i = 0; i <= c->n_tile_data; i++)
+                dav1d_data_unref(&c->tile[i].data);
+            c->n_tile_data = 0;
+            c->tile_mask = 0;
             goto error;
+        }
 #define mask(a) ((1 << (a)) - 1)
         const unsigned tile_mask = mask(c->tile[c->n_tile_data].end + 1) -
                                    mask(c->tile[c->n_tile_data].start);
 #undef mask
-        if (tile_mask & c->tile_mask) goto error; // tile overlap
+        if (tile_mask & c->tile_mask) { // tile overlap
+            for (int i = 0; i <= c->n_tile_data; i++)
+                dav1d_data_unref(&c->tile[i].data);
+            c->n_tile_data = 0;
+            c->tile_mask = 0;
+            goto error;
+        }
         c->tile_mask |= tile_mask;
         c->n_tile_data++;
         break;