[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: clear window

James Almer jamrial at gmail.com
Tue Nov 5 04:59:15 EET 2024


On 11/4/2024 11:23 PM, Michael Niedermayer wrote:
> Fixes: Use of uninitialised value of size 8

Odd, the only load op with dec->window appears to be 4 bytes.

> Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut
> Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut
> 
> Found-by: ossfuzz
> Reported-by: Kacper Michajlow
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>   libavcodec/jpegxl_parser.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 8c45e1a1b73..179ca1170bd 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -847,7 +847,7 @@ static int read_distribution_bundle(GetBitContext *gb, JXLEntropyDecoder *dec,
>       }
>   
>       if (bundle->lz77_enabled && !dec->window) {
> -        dec->window = av_malloc_array(1 << 20, sizeof(uint32_t));
> +        dec->window = calloc(1 << 20, sizeof(uint32_t));

av_calloc(). How did it not crash for you once it was freed by av_free?

Also, wouldn't this be hiding a bug? Reading memory that was expected to 
be previously set.

>           if (!dec->window)
>               return AVERROR(ENOMEM);
>       }

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241104/fec15bde/attachment.sig>


More information about the ffmpeg-devel mailing list