[FFmpeg-devel] [PATCH 2/3] avcodec/vc1dec: Allocate only as much space as is unescaped
Michael Niedermayer
michael at niedermayer.cc
Sat Oct 12 22:35:44 EEST 2019
Fixes: OOM
Fixes: 18137/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5723834900021248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/vc1dec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index ac3198e4fd..8befc6dfd8 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -694,7 +694,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
goto err;
}
slices = tmp;
- slices[n_slices].buf = av_mallocz(buf_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ slices[n_slices].buf = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!slices[n_slices].buf) {
ret = AVERROR(ENOMEM);
goto err;
@@ -723,7 +723,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
goto err;
}
slices = tmp;
- slices[n_slices].buf = av_mallocz(buf_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ slices[n_slices].buf = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!slices[n_slices].buf) {
ret = AVERROR(ENOMEM);
goto err;
--
2.23.0
More information about the ffmpeg-devel
mailing list