[FFmpeg-cvslog] lzf: update pointer p after realloc
    Andreas Cadhalpun 
    git at videolan.org
       
    Sun Nov 27 01:41:08 EET 2016
    
    
  
ffmpeg | branch: release/3.0 | Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com> | Fri Nov  4 22:58:49 2016 +0100| [ef2d91e9c337f50edbc7631485bfec385601f4bb] | committer: Andreas Cadhalpun
lzf: update pointer p after realloc
This fixes heap-use-after-free detected by AddressSanitizer.
Reviewed-by: Luca Barbato <lu_zero at gentoo.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit bb6a7b6f75ac544c956e3eefee297700ef4d3468)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ef2d91e9c337f50edbc7631485bfec385601f4bb
---
 libavcodec/lzf.c | 2 ++
 1 file changed, 2 insertions(+)
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 409a7ff..5b7526e 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 ret = av_reallocp(buf, *size);
                 if (ret < 0)
                     return ret;
+                p = *buf + len;
             }
 
             bytestream2_get_buffer(gb, p, s);
@@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 ret = av_reallocp(buf, *size);
                 if (ret < 0)
                     return ret;
+                p = *buf + len;
             }
 
             av_memcpy_backptr(p, off, l);
    
    
More information about the ffmpeg-cvslog
mailing list