From 7a762519869e7d34ba1f5c2ff09519f1021f4f6a Mon Sep 17 00:00:00 2001
From: Tristan Matthews <tmatth@videolan.org>
Date: Thu, 20 Jun 2019 00:48:10 -0400
Subject: speexdec_fuzzer: fix leak of decoder state on header error

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/speex
---
 contrib/oss-fuzz/speexdec_fuzzer.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/contrib/oss-fuzz/speexdec_fuzzer.cc b/contrib/oss-fuzz/speexdec_fuzzer.cc
index a9e2ebe..6122497 100644
--- a/contrib/oss-fuzz/speexdec_fuzzer.cc
+++ b/contrib/oss-fuzz/speexdec_fuzzer.cc
@@ -110,6 +110,7 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t
    speex_decoder_ctl(st, SPEEX_GET_FRAME_SIZE, frame_size);
    if (*frame_size < 0 || *frame_size > 2*320)
    {
+      speex_decoder_destroy(st);
       free(header);
       return NULL;
    }
@@ -122,6 +123,7 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t
 
    if (header->frames_per_packet < 1 ||  header->frames_per_packet > 10)
    {
+      speex_decoder_destroy(st);
       free(header);
       return NULL;
    }
@@ -141,6 +143,7 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t
 
    if (header->extra_headers > INT_MAX - 1)
    {
+      speex_decoder_destroy(st);
       free(header);
       return NULL;
    }
-- 
cgit v1.2.3