From 37b2c7b6f8192c284162675bb3cf2d3092c96ef7 Mon Sep 17 00:00:00 2001 From: Weidong Wang Date: Sat, 14 Mar 2026 13:45:39 -0500 Subject: [PATCH] avcodec/xxan: zero-initialize y_buffer Fixes ticket #22420. When the first decoded frame is type 1, xan_decode_frame_type1() reads y_buffer as prior-frame state before any data has been written to it. Since y_buffer is allocated with av_malloc(), this may propagate uninitialized heap data into the decoded luma output. Allocate y_buffer with av_mallocz() instead. (cherry picked from commit 236dbc9f82b2d6b9946f63940eed67ca1489a803) Signed-off-by: Michael Niedermayer --- libavcodec/xxan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 1dd46b36eb..fcbf39ddcb 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -67,7 +67,7 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) } s->buffer_size = avctx->width * avctx->height; - s->y_buffer = av_malloc(s->buffer_size); + s->y_buffer = av_mallocz(s->buffer_size); if (!s->y_buffer) return AVERROR(ENOMEM); s->scratch_buffer = av_malloc(s->buffer_size + 130);