[FFmpeg-cvslog] avcodec/gif: Fix lzw buffer size

Michael Niedermayer git at videolan.org
Mon Feb 1 02:35:23 CET 2016 

ffmpeg | branch: release/2.4 | Michael Niedermayer <michael at niedermayer.cc> | Mon Jan 18 19:20:03 2016 +0100| [49ae02d36f25963e8ef9ea1fba82a7e1c9914563] | committer: Michael Niedermayer

avcodec/gif: Fix lzw buffer size

Fixes out of array access
Fixes: aaa479088e6fb40b04837b3119f47b04/asan_heap-oob_e38c68_8576_9d653078b2470700e2834636f12ff557.tga

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 03d83ba34b2070878909eae18dfac0f519503777)

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=49ae02d36f25963e8ef9ea1fba82a7e1c9914563
---

 libavcodec/gif.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/gif.c b/libavcodec/gif.c
index def1b83..b56d58c 100644
--- a/libavcodec/gif.c
+++ b/libavcodec/gif.c
@@ -43,6 +43,7 @@ typedef struct {
     const AVClass *class;
     LZWState *lzw;
     uint8_t *buf;
+    int buf_size;
     AVFrame *last_frame;
     int flags;
     uint32_t palette[AVPALETTE_COUNT];  ///< local reference palette for !pal8
@@ -168,7 +169,7 @@ static int gif_image_write_image(AVCodecContext *avctx,
 
     bytestream_put_byte(bytestream, 0x08);
 
-    ff_lzw_encode_init(s->lzw, s->buf, 2 * width * height,
+    ff_lzw_encode_init(s->lzw, s->buf, s->buf_size,
                        12, FF_LZW_GIF, put_bits);
 
     ptr = buf + y_start*linesize + x_start;
@@ -224,7 +225,8 @@ static av_cold int gif_encode_init(AVCodecContext *avctx)
     avctx->coded_frame->key_frame = 1;
 
     s->lzw = av_mallocz(ff_lzw_encode_state_size);
-    s->buf = av_malloc(avctx->width*avctx->height*2);
+    s->buf_size = avctx->width*avctx->height*2 + 1000;
+    s->buf = av_malloc(s->buf_size);
     s->tmpl = av_malloc(avctx->width);
     if (!s->tmpl || !s->buf || !s->lzw)
         return AVERROR(ENOMEM);
@@ -283,6 +285,7 @@ static int gif_encode_close(AVCodecContext *avctx)
 
     av_freep(&s->lzw);
     av_freep(&s->buf);
+    s->buf_size = 0;
     av_frame_free(&s->last_frame);
     av_freep(&s->tmpl);
     return 0;

More information about the ffmpeg-cvslog mailing list