opensource/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-03-13 09:00:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/lzf: Remove size messing from ff_lzf_uncompress()

Browse Source 
size represents the output size
randomly changing it but not reseting it on errors leaks uninitialized memory.

Fixes: 475000819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5571269310611456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-01-16 03:31:14 +01:00
parent 5db50e8775
commit 0f35146e27
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libavcodec/lzf.c
View File

@@ -38,16 +38,15 @@
#define LZF_LONG_BACKREF 7 + 2
static inline int lzf_realloc(uint8_t **buf, size_t *size, int addition, unsigned *allocated_size)
static inline int lzf_realloc(uint8_t **buf, size_t new_size, unsigned *allocated_size)
{
void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
void *ptr = av_fast_realloc(*buf, allocated_size, new_size);
if (!ptr) {
av_freep(buf); //probably not needed
return AVERROR(ENOMEM);
}
*buf = ptr;
*size += addition;
return 0;
}
@@ -63,8 +62,8 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned
if (s < LZF_LITERAL_MAX) {
s++;
if (s > *size - len) {
ret = lzf_realloc(buf, size, s, allocated_size);
if (s > *allocated_size - len) {
ret = lzf_realloc(buf, len + s, allocated_size);
if (ret < 0)
return ret;
p = *buf + len;
@@ -88,8 +87,8 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned
if (off > len)
return AVERROR_INVALIDDATA;
if (l > *size - len) {
ret = lzf_realloc(buf, size, l, allocated_size);
if (l > *allocated_size - len) {
ret = lzf_realloc(buf, len + l, allocated_size);
if (ret < 0)
return ret;
p = *buf + len;