mov_read_custom tries to read three strings belonging to three different tags. When an already encountered tag is encountered again, a new buffer for the string to be read is allocated and stored in the pointer destined for this particular tag. But in this scenario, said pointer already holds the address of the string read earlier, leading to a leak.
This commit aborts therefore aborts the reading process upon encountering an already encountered tag. Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@gmail.com> --- I don't know if one should error out in this scenario or not; or one could continue (i.e. use the already existing tag) or free the old one and use the new one. But this loop is only executed three times and all three tags need to be present for them to be of any use, so simply using continue in the scenario here would not be useful. libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 47bbb3697d..a59c804d16 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4434,6 +4434,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) { ret = AVERROR(ENOMEM); -- 2.20.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".