avformat/dashdec: Avoid double free on error

[ffmpeg] / libavformat / apngdec.c

diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index 53cdd4538e010b9c2ef6560adcb6bbc15e60b889..0f1d04a3655f0a374b900a6fe2b5b3ed1255c3e9 100644 (file)
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -66,7 +66,7 @@ typedef struct APNGDemuxContext {
  *     ...
  *     IDAT
  */
-static int apng_probe(AVProbeData *p)
+static int apng_probe(const AVProbeData *p)
 {
     GetByteContext gb;
     int state = 0;
@@ -127,13 +127,14 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len)
     int new_size, ret;
     uint8_t *new_extradata;
 
-    if (previous_size > INT_MAX - len)
+    if (previous_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - len)
         return AVERROR_INVALIDDATA;
 
     new_size = previous_size + len;
     new_extradata = av_realloc(par->extradata, new_size + AV_INPUT_BUFFER_PADDING_SIZE);
     if (!new_extradata)
         return AVERROR(ENOMEM);
+    memset(new_extradata + new_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
     par->extradata = new_extradata;
     par->extradata_size = new_size;
 
@@ -177,10 +178,9 @@ static int apng_read_header(AVFormatContext *s)
         return ret;
 
     /* extradata will contain every chunk up to the first fcTL (excluded) */
-    st->codecpar->extradata = av_malloc(len + 12 + AV_INPUT_BUFFER_PADDING_SIZE);
-    if (!st->codecpar->extradata)
-        return AVERROR(ENOMEM);
-    st->codecpar->extradata_size = len + 12;
+    ret = ff_alloc_extradata(st->codecpar, len + 12);
+    if (ret < 0)
+        return ret;
     AV_WB32(st->codecpar->extradata,    len);
     AV_WL32(st->codecpar->extradata+4,  tag);
     AV_WB32(st->codecpar->extradata+8,  st->codecpar->width);
@@ -241,10 +241,6 @@ static int apng_read_header(AVFormatContext *s)
     }
 
 fail:
-    if (st->codecpar->extradata_size) {
-        av_freep(&st->codecpar->extradata);
-        st->codecpar->extradata_size = 0;
-    }
     return ret;
 }