[FFmpeg-cvslog] avcodec/tiff: Use av_fast_padded_malloc() in tiff_unpack_fax()
Michael Niedermayer
git at videolan.org
Sun Jun 4 01:24:04 EEST 2017
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Jun 3 23:57:58 2017 +0200| [9221445fa001093307864a53f91c1172c239de18] | committer: Michael Niedermayer
avcodec/tiff: Use av_fast_padded_malloc() in tiff_unpack_fax()
Fixes: Timeout
Fixes: 1213/clusterfuzz-testcase-minimized-6022987469815808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9221445fa001093307864a53f91c1172c239de18
---
libavcodec/tiff.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 680269b096..b96caeb8ce 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -74,6 +74,8 @@ typedef struct TiffContext {
int deinvert_buf_size;
uint8_t *yuv_line;
unsigned int yuv_line_size;
+ uint8_t *fax_buffer;
+ unsigned int fax_buffer_size;
int geotag_count;
TiffGeoTag *geotags;
@@ -452,8 +454,10 @@ static int tiff_unpack_fax(TiffContext *s, uint8_t *dst, int stride,
{
int i, ret = 0;
int line;
- uint8_t *src2 = av_malloc((unsigned)size +
- AV_INPUT_BUFFER_PADDING_SIZE);
+ uint8_t *src2;
+
+ av_fast_padded_malloc(&s->fax_buffer, &s->fax_buffer_size, size);
+ src2 = s->fax_buffer;
if (!src2) {
av_log(s->avctx, AV_LOG_ERROR,
@@ -475,7 +479,6 @@ static int tiff_unpack_fax(TiffContext *s, uint8_t *dst, int stride,
horizontal_fill(s->bpp, dst, 1, dst, 0, width, 0);
dst += stride;
}
- av_free(src2);
return ret;
}
@@ -1408,6 +1411,8 @@ static av_cold int tiff_end(AVCodecContext *avctx)
ff_lzw_decode_close(&s->lzw);
av_freep(&s->deinvert_buf);
+ av_freep(&s->fax_buffer);
+ s->fax_buffer_size = 0;
return 0;
}
More information about the ffmpeg-cvslog
mailing list