xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/rasc: fix heap use-after-free in decode_move()

Browse Source 
Use a separate scratch buffer (s->mv_scratch) for the type-0 pixel
copy so s->delta and mc are not disturbed for the lifetime of
decode_move().  The new buffer is freed in decode_close().

Found-by: Seung Min Shin
Patch based on suggsted fix by Seung Min Shin

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-05-01 20:31:57 +02:00
committed by michaelni
parent 8010aa2193
commit 2f60af465a
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/rasc.c
+6 -4
View File
@@ -51,6 +51,8 @@ typedef struct RASCContext {
GetByteContext gb;
uint8_t *delta;
int delta_size;
uint8_t *mv_scratch;
unsigned int mv_scratch_size;
uint8_t *cursor;
int cursor_size;
unsigned cursor_w;
@@ -294,10 +296,8 @@ static int decode_move(AVCodecContext *avctx,
b2 -= s->frame2->linesize[0];
}
} else if (type == 0) {
uint8_t *buffer;
av_fast_padded_malloc(&s->delta, &s->delta_size, w * h * s->bpp);
buffer = s->delta;
av_fast_padded_malloc(&s->mv_scratch, &s->mv_scratch_size, w * h * s->bpp);
uint8_t *buffer = s->mv_scratch;
if (!buffer)
return AVERROR(ENOMEM);
@@ -772,6 +772,8 @@ static av_cold int decode_close(AVCodecContext *avctx)
s->cursor_size = 0;
av_freep(&s->delta);
s->delta_size = 0;
av_freep(&s->mv_scratch);
s->mv_scratch_size = 0;
av_frame_free(&s->frame1);
av_frame_free(&s->frame2);
ff_inflate_end(&s->zstream);