[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: clear window
James Almer
jamrial at gmail.com
Tue Nov 5 04:59:15 EET 2024
On 11/4/2024 11:23 PM, Michael Niedermayer wrote:
> Fixes: Use of uninitialised value of size 8
Odd, the only load op with dec->window appears to be 4 bytes.
> Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut
> Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut
>
> Found-by: ossfuzz
> Reported-by: Kacper Michajlow
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/jpegxl_parser.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 8c45e1a1b73..179ca1170bd 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -847,7 +847,7 @@ static int read_distribution_bundle(GetBitContext *gb, JXLEntropyDecoder *dec,
> }
>
> if (bundle->lz77_enabled && !dec->window) {
> - dec->window = av_malloc_array(1 << 20, sizeof(uint32_t));
> + dec->window = calloc(1 << 20, sizeof(uint32_t));
av_calloc(). How did it not crash for you once it was freed by av_free?
Also, wouldn't this be hiding a bug? Reading memory that was expected to
be previously set.
> if (!dec->window)
> return AVERROR(ENOMEM);
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241104/fec15bde/attachment.sig>
More information about the ffmpeg-devel
mailing list