From e0f85533c3308d0fd1274a673a9e96b630ebea5d Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Fri, 23 Jun 2023 14:46:30 -0700
Subject: [PATCH] ctx->frame_worker shouldn't be partially allocated

init_decoder() should not leave ctx->frame_worker partially allocated.
It should fully allocate ctx->frame_worker on success, and set
ctx->frame_worker to NULL on failure.

This bug was found by Philippe Antoine <p.antoine@catenacyber.fr> using
nallocfuzz (see https://github.com/google/oss-fuzz/pull/9902).

Change-Id: I1ab5bb26e396f2f1d9f7e42f570563403f0e2be2
---
 av1/av1_dx_iface.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/av1/av1_dx_iface.c b/av1/av1_dx_iface.c
index 1c9b5d23dc8..a1e75589d3e 100644
--- a/av1/av1_dx_iface.c
+++ b/av1/av1_dx_iface.c
@@ -121,7 +121,7 @@ static aom_codec_err_t decoder_destroy(aom_codec_alg_priv_t *ctx) {
       AV1Decoder *const pbi = frame_worker_data->pbi;
       aom_free(pbi->common.tpl_mvs);
       pbi->common.tpl_mvs = NULL;
-      av1_remove_common(&frame_worker_data->pbi->common);
+      av1_remove_common(&pbi->common);
       av1_free_cdef_buffers(&pbi->common, &pbi->cdef_worker, &pbi->cdef_sync);
       av1_free_cdef_sync(&pbi->cdef_sync);
       av1_free_restoration_buffers(&pbi->common);
@@ -457,18 +457,24 @@ static aom_codec_err_t init_decoder(aom_codec_alg_priv_t *ctx) {
   }
 
   AVxWorker *const worker = ctx->frame_worker;
-  FrameWorkerData *frame_worker_data = NULL;
   winterface->init(worker);
   worker->thread_name = "aom frameworker";
   worker->data1 = aom_memalign(32, sizeof(FrameWorkerData));
   if (worker->data1 == NULL) {
+    winterface->end(worker);
+    aom_free(worker);
+    ctx->frame_worker = NULL;
     set_error_detail(ctx, "Failed to allocate frame_worker_data");
     return AOM_CODEC_MEM_ERROR;
   }
-  frame_worker_data = (FrameWorkerData *)worker->data1;
+  FrameWorkerData *frame_worker_data = (FrameWorkerData *)worker->data1;
   frame_worker_data->pbi = av1_decoder_create(ctx->buffer_pool);
   if (frame_worker_data->pbi == NULL) {
-    set_error_detail(ctx, "Failed to allocate frame_worker_data");
+    winterface->end(worker);
+    aom_free(frame_worker_data);
+    aom_free(worker);
+    ctx->frame_worker = NULL;
+    set_error_detail(ctx, "Failed to allocate frame_worker_data->pbi");
     return AOM_CODEC_MEM_ERROR;
   }
   frame_worker_data->frame_context_ready = 0;