PR #23225 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23225 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23225.patch
Fixes: poc_dirac_v2_* >From fa88cd926823fb5f30694ae5f26601fd0415a708 Mon Sep 17 00:00:00 2001 From: Anthony Hurtado <[email protected]> Date: Tue, 19 May 2026 17:21:20 -0500 Subject: [PATCH] avcodec/diracdec: fix heap buffer overflow in edge_emu_buffer Fixes: poc_dirac_v2_* --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 2a047c0bb9..a4a719aa8e 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -339,7 +339,7 @@ static int alloc_buffers(DiracContext *s, int stride) av_freep(&s->mctmp); av_freep(&s->mcscratch); - s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE); + s->edge_emu_buffer_base = av_malloc_array(stride, 4 * MAX_BLOCKSIZE); s->mctmp = av_malloc_array((stride+MAX_BLOCKSIZE), (h + 5*MAX_BLOCKSIZE) * sizeof(*s->mctmp)); s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE); @@ -1895,7 +1895,7 @@ static int dirac_decode_frame_internal(DiracContext *s) /* FIXME: small resolutions */ for (i = 0; i < 4; i++) - s->edge_emu_buffer[i] = s->edge_emu_buffer_base + i*FFALIGN(p->width, 16); + s->edge_emu_buffer[i] = s->edge_emu_buffer_base + i*s->buffer_stride*MAX_BLOCKSIZE; if (!s->zero_res && !s->low_delay) { -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
