Skip to content

Commit

Permalink
fix use-after-free in audio_sample_entry_read (from oss-fuzz)
Browse files Browse the repository at this point in the history
  • Loading branch information
@aureliendavid
aureliendavid committed Dec 11, 2023
1 parent 66d9839 commit ee257ba
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion src/isomedia/box_code_base.c
View file
Expand Up @@ -4217,7 +4217,19 @@ GF_Err audio_sample_entry_box_read(GF_Box *s, GF_BitStream *bs)
if (GF_4CC((u32)data[i+4], (u8)data[i+5], (u8)data[i+6], (u8)data[i+7]) == GF_ISOM_BOX_TYPE_ESDS) {
GF_BitStream *mybs = gf_bs_new(data + i, size - i, GF_BITSTREAM_READ);
gf_bs_set_cookie(mybs, GF_ISOM_BS_COOKIE_NO_LOGS);
if (ptr->esd) gf_isom_box_del_parent(&ptr->child_boxes, (GF_Box *)ptr->esd);
if (ptr->esd) {

gf_list_del_item(ptr->child_boxes, (GF_Box *)ptr->esd);

for (u32 i=0; i<gf_list_count(ptr->child_boxes); i++) {
GF_Box *inner_box = (GF_Box *)gf_list_get(ptr->child_boxes, i);
if (inner_box->child_boxes) {
gf_list_del_item(inner_box->child_boxes, (GF_Box *)ptr->esd);
}
}

gf_isom_box_del((GF_Box *)ptr->esd);
}
ptr->esd = NULL;
e = gf_isom_box_parse((GF_Box **)&ptr->esd, mybs);
gf_bs_del(mybs);
Expand Down

0 comments on commit ee257ba

Please sign in to comment.