avcodec/alsdec: Fix raw_mantissa memleak

Fixes: 0cee183a09bff5aa5108429717c35a4d/asan_heap-oob_1d99eca_3702_9ef60e80de79082a778d3d9ce8ef3b64.mp4
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index c31f733967ee13210a1559046b185924537d69a5..1bb71f5a47e74641e92e0adbb2f51e18fa594c74 100644 (file)
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1887,6 +1887,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
 static av_cold int decode_end(AVCodecContext *avctx)
 {
     ALSDecContext *ctx = avctx->priv_data;
+    int i;
 
     av_freep(&ctx->sconf.chan_pos);
 
@@ -1920,7 +1921,12 @@ static av_cold int decode_end(AVCodecContext *avctx)
     av_freep(&ctx->last_acf_mantissa);
     av_freep(&ctx->shift_value);
     av_freep(&ctx->last_shift_value);
-    av_freep(&ctx->raw_mantissa);
+    if (ctx->raw_mantissa) {
+        for (i = 0; i < avctx->channels; i++) {
+            av_freep(&ctx->raw_mantissa[i]);
+        }
+        av_freep(&ctx->raw_mantissa);
+    }
     av_freep(&ctx->larray);
     av_freep(&ctx->nbits);
 
@@ -2064,7 +2070,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
         ctx->shift_value       = av_malloc_array(avctx->channels, sizeof(*ctx->shift_value));
         ctx->last_shift_value  = av_malloc_array(avctx->channels, sizeof(*ctx->last_shift_value));
         ctx->last_acf_mantissa = av_malloc_array(avctx->channels, sizeof(*ctx->last_acf_mantissa));
-        ctx->raw_mantissa      = av_malloc_array(avctx->channels, sizeof(*ctx->raw_mantissa));
+        ctx->raw_mantissa      = av_mallocz_array(avctx->channels, sizeof(*ctx->raw_mantissa));
 
         ctx->larray = av_malloc_array(ctx->cur_frame_length * 4, sizeof(*ctx->larray));
         ctx->nbits  = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));