[FFmpeg-cvslog] [ffmpeg] 65/96: avcodec/diracdec: fix heap buffer overflow in edge_emu_buffer

Sat, 13 Jun 2026 20:31:40 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/8.0
in repository ffmpeg.

commit ef25a582df7ef35fedc787fa1bb33c468f77d724
Author:     Anthony Hurtado <[email protected]>
AuthorDate: Tue May 19 17:21:20 2026 -0500
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Sun Jun 14 04:59:08 2026 +0200

    avcodec/diracdec: fix heap buffer overflow in edge_emu_buffer
    
    Fixes: poc_dirac_v2_*
    (cherry picked from commit 495b402f275e1540dbeb7cca7579d6c1a3a725fa)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 2a047c0bb9..a4a719aa8e 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -339,7 +339,7 @@ static int alloc_buffers(DiracContext *s, int stride)
     av_freep(&s->mctmp);
     av_freep(&s->mcscratch);
 
-    s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
+    s->edge_emu_buffer_base = av_malloc_array(stride, 4 * MAX_BLOCKSIZE);
 
     s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h + 
5*MAX_BLOCKSIZE) * sizeof(*s->mctmp));
     s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
@@ -1895,7 +1895,7 @@ static int dirac_decode_frame_internal(DiracContext *s)
 
         /* FIXME: small resolutions */
         for (i = 0; i < 4; i++)
-            s->edge_emu_buffer[i] = s->edge_emu_buffer_base + 
i*FFALIGN(p->width, 16);
+            s->edge_emu_buffer[i] = s->edge_emu_buffer_base + 
i*s->buffer_stride*MAX_BLOCKSIZE;
 
         if (!s->zero_res && !s->low_delay)
         {

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to