[FFmpeg-cvslog] avcodec/vc1dec: Allocate only as much space as is unescaped
Michael Niedermayer
git at videolan.org
Sat Jan 18 19:59:47 EET 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Oct 12 17:54:29 2019 +0200| [6a69f049274fcc22b462e3997596a28bef3feda6] | committer: Michael Niedermayer
avcodec/vc1dec: Allocate only as much space as is unescaped
Fixes: OOM
Fixes: 18137/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5723834900021248
Fixes: 20037/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5683758976204800
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6a69f049274fcc22b462e3997596a28bef3feda6
---
libavcodec/vc1dec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index c526b200b5..15783e3b8d 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -701,7 +701,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
goto err;
}
slices = tmp;
- slices[n_slices].buf = av_mallocz(buf_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ slices[n_slices].buf = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!slices[n_slices].buf) {
ret = AVERROR(ENOMEM);
goto err;
@@ -730,7 +730,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
goto err;
}
slices = tmp;
- slices[n_slices].buf = av_mallocz(buf_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ slices[n_slices].buf = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!slices[n_slices].buf) {
ret = AVERROR(ENOMEM);
goto err;
More information about the ffmpeg-cvslog
mailing list