# HG changeset patch # User reimar # Date 1390167959 0 # Node ID e5e36c2a005535fe5add3c90ad235b118416ee75 # Parent 79358001ddb2dd95cf2abfaff1445e80e9c1628a demux_mkv: Fix massive memleaks in attachment parsing. diff -r 79358001ddb2 -r e5e36c2a0055 libmpdemux/demux_mkv.c --- a/libmpdemux/demux_mkv.c Sun Jan 19 18:53:32 2014 +0000 +++ b/libmpdemux/demux_mkv.c Sun Jan 19 21:45:59 2014 +0000 @@ -1232,17 +1232,25 @@ switch (ebml_read_id(s, &il)) { case MATROSKA_ID_FILENAME: + free(name); name = ebml_read_utf8(s, &l); - if (name == NULL) + if (name == NULL) { + free(mime); + free(data); return 0; + } mp_msg(MSGT_DEMUX, MSGL_V, "[mkv] | + FileName: %s\n", name); break; case MATROSKA_ID_FILEMIMETYPE: + free(mime); mime = ebml_read_ascii(s, &l); - if (mime == NULL) + if (mime == NULL) { + free(name); + free(data); return 0; + } mp_msg(MSGT_DEMUX, MSGL_V, "[mkv] | + FileMimeType: %s\n", mime); break; @@ -1253,10 +1261,15 @@ uint64_t num = ebml_read_length(s, &x); l = x + num; free(data); - if (num > SIZE_MAX) + if (num > SIZE_MAX) { + free(name); + free(mime); return 0; + } data = malloc(num); - if (stream_read(s, data, num) != (int) num) { + if (!data || stream_read(s, data, num) != (int) num) { + free(name); + free(mime); free(data); return 0; } @@ -1278,6 +1291,9 @@ mp_msg(MSGT_DEMUX, MSGL_V, "[mkv] Attachment: %s, %s, %u bytes\n", name, mime, data_size); + free(name); + free(mime); + free(data); break; }