This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch master in repository ffmpeg.
commit 0f35146e272dcef3bdacaada51a9ba054cd9f2bf Author: Michael Niedermayer <[email protected]> AuthorDate: Fri Jan 16 03:31:14 2026 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Thu Feb 5 16:29:08 2026 +0100 avcodec/lzf: Remove size messing from ff_lzf_uncompress() size represents the output size randomly changing it but not reseting it on errors leaks uninitialized memory. Fixes: 475000819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5571269310611456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/lzf.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 8f223b1f42..5d6e9925d4 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -38,16 +38,15 @@ #define LZF_LONG_BACKREF 7 + 2 -static inline int lzf_realloc(uint8_t **buf, size_t *size, int addition, unsigned *allocated_size) +static inline int lzf_realloc(uint8_t **buf, size_t new_size, unsigned *allocated_size) { - void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition); + void *ptr = av_fast_realloc(*buf, allocated_size, new_size); if (!ptr) { av_freep(buf); //probably not needed return AVERROR(ENOMEM); } *buf = ptr; - *size += addition; return 0; } @@ -63,8 +62,8 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned if (s < LZF_LITERAL_MAX) { s++; - if (s > *size - len) { - ret = lzf_realloc(buf, size, s, allocated_size); + if (s > *allocated_size - len) { + ret = lzf_realloc(buf, len + s, allocated_size); if (ret < 0) return ret; p = *buf + len; @@ -88,8 +87,8 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned if (off > len) return AVERROR_INVALIDDATA; - if (l > *size - len) { - ret = lzf_realloc(buf, size, l, allocated_size); + if (l > *allocated_size - len) { + ret = lzf_realloc(buf, len + l, allocated_size); if (ret < 0) return ret; p = *buf + len; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
