GitLab

When staticbook_unpack fails due to a truncated packet, it calls staticbook_clear on the book. This results in the entire static_codebook being memset to 0 (after freeing its resources), which results in b->allocedp being 0. The error handling path in unpack_books calls info_clear which calls staticbook_destroy for each allocated book. staticbook_destroy returns early if b->allocedp is 0, missing a critical call to _ogg_free.

Here's a fuzzer-generated file that triggers this: http://mxr.mozilla.org/mozilla-central/source/content/media/test/bug498855-1.ogv