From patchwork Mon Aug 26 03:54:20 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Almer <jamrial@gmail.com>
X-Patchwork-Id: 14715
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 77E41448547
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Mon, 26 Aug 2019 06:56:23 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4DD9968AC64;
	Mon, 26 Aug 2019 06:56:23 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com
	[209.85.160.195])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B453A68AC26
	for <ffmpeg-devel@ffmpeg.org>; Mon, 26 Aug 2019 06:56:16 +0300 (EEST)
Received: by mail-qt1-f195.google.com with SMTP id q4so16700364qtp.1
	for <ffmpeg-devel@ffmpeg.org>; Sun, 25 Aug 2019 20:56:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=wNnNclOZKj/z3ARPMAV8mF6QyP+hvpaUrRuwvvo8Ts8=;
	b=G3oC0EzjHGnLVQzgROsOe2ehlFFmu96dkksUEnS0V8wp7aI97JOW+4fYYpXgL38aWz
	Z6CaRqqK+YS5KpZYv6wAuVTjypGhA9sr/ZCbI5DFUuX1IkWn3GSHK/sAnlVewNsV4VNb
	HPzJs+4cqLYoJiaevL0LezqJzFr2F4q4Mn9a402kkwWF7re2EBaehApYNsTfTPuUe3lr
	ZrB5ZPRP7/ccxEQNlQotPi82a4Ud+VKb45jOYXDWBVjvFg+RkaHapVlir0YywltRh6hu
	RVzy85clpHmaJjGuYztArI0vWI8sTF2dQEeeXUvtOWNI5+niorP/XmTa276J4TRqPOjy
	oYZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=wNnNclOZKj/z3ARPMAV8mF6QyP+hvpaUrRuwvvo8Ts8=;
	b=hbY67z85bwbGwhZmSoJdmfVvADaz8j2aIZIDH1wtOCAmFeUn6rnoQ4DATu9kDL6Yb4
	8f24QdKxmvhZIzdVfBzTi7cP0CqXfX5ATKCJGWOt8G27C+y5/SdjUu3fbgVsNNMbfBQk
	fh00C/cVoCnp9obsQt5t5BK11tl47JgWMC+HKJ6enUrbEneYumkLLO5fIK92EOn07MCf
	RF50HA8KOGftU8dbWxAA+2Y9DRQ1BZXNqKv4gDTXOf4t6TzbswJEMLH/oz2uW7FLb11w
	mGnL9AACOGiSSyA79+k1sU4/C5UTrMtdF2R7DhZYfrc2g7CSQC9QgcNieAr1x24Dv/1Z
	JYag==
X-Gm-Message-State: APjAAAU3yMLlleerpiJxLahnoZBcI7hzHKO4oj9uNVDtlTYOKdI8idlq
	As/uKmtOiCL9LhRSSJpx9Xuosi4p
X-Google-Smtp-Source: 
 APXvYqxdpBXRiP7IgLBEBXA6hmkvLQtJ0i/OB3eShXshjT59XLgWzazzNxemXL6FF/FzKaJ3SzO59g==
X-Received: by 2002:ac8:7299:: with SMTP id
	v25mr15988838qto.381.1566791775091;
	Sun, 25 Aug 2019 20:56:15 -0700 (PDT)
Received: from localhost.localdomain ([181.23.84.150])
	by smtp.gmail.com with ESMTPSA id
	d45sm6557456qtk.57.2019.08.25.20.56.13
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Sun, 25 Aug 2019 20:56:14 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 26 Aug 2019 00:54:20 -0300
Message-Id: <20190826035420.700-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.22.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avcodec/h2645_parse: zero initialize the
	rbsp buffer
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes ticket #8093

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/h2645_parse.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c
index 24658b3dfa..307e8643e6 100644
--- a/libavcodec/h2645_parse.c
+++ b/libavcodec/h2645_parse.c
@@ -345,13 +345,18 @@ static int find_next_start_code(const uint8_t *buf, const uint8_t *next_avc)
 
 static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref)
 {
+    int min_size = size;
+
     if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
         goto fail;
     size += AV_INPUT_BUFFER_PADDING_SIZE;
 
     if (rbsp->rbsp_buffer_alloc_size >= size &&
-        (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref)))
+        (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) {
+        av_assert0(rbsp->rbsp_buffer);
+        memset(rbsp->rbsp_buffer + min_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
         return;
+    }
 
     size = FFMIN(size + size / 16 + 32, INT_MAX);
 
@@ -360,7 +365,7 @@ static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref)
     else
         av_free(rbsp->rbsp_buffer);
 
-    rbsp->rbsp_buffer = av_malloc(size);
+    rbsp->rbsp_buffer = av_mallocz(size);
     if (!rbsp->rbsp_buffer)
         goto fail;
     rbsp->rbsp_buffer_alloc_size = size;