diff options
author | Tristan Matthews <tmatth@videolan.org> | 2019-06-20 07:48:10 +0300 |
---|---|---|
committer | Tristan Matthews <tmatth@videolan.org> | 2019-06-20 07:59:24 +0300 |
commit | 7a762519869e7d34ba1f5c2ff09519f1021f4f6a (patch) | |
tree | c692d4e0c681592d89f343b68948adb073a6d42c | |
parent | 56baf7ca631480fb8b7427333d317593c8f38488 (diff) |
speexdec_fuzzer: fix leak of decoder state on header error
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/speex
-rw-r--r-- | contrib/oss-fuzz/speexdec_fuzzer.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/contrib/oss-fuzz/speexdec_fuzzer.cc b/contrib/oss-fuzz/speexdec_fuzzer.cc index a9e2ebe..6122497 100644 --- a/contrib/oss-fuzz/speexdec_fuzzer.cc +++ b/contrib/oss-fuzz/speexdec_fuzzer.cc @@ -110,6 +110,7 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t speex_decoder_ctl(st, SPEEX_GET_FRAME_SIZE, frame_size); if (*frame_size < 0 || *frame_size > 2*320) { + speex_decoder_destroy(st); free(header); return NULL; } @@ -122,6 +123,7 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t if (header->frames_per_packet < 1 || header->frames_per_packet > 10) { + speex_decoder_destroy(st); free(header); return NULL; } @@ -141,6 +143,7 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t if (header->extra_headers > INT_MAX - 1) { + speex_decoder_destroy(st); free(header); return NULL; } |