diff mbox series

[FFmpeg-devel,2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths()

Message ID 20230913234734.22402-2-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Sept. 13, 2023, 11:47 p.m. UTC 
Fixes: use after free
Fixes: 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vlc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index b353d2e86c2..f4bab0ae529 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -471,10 +471,13 @@  int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int
             goto fail;
         }
     }
-    ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf);
+    ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf);
     if (ret < 0)
         goto fail;
-    return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx);
+    ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx);
+    if (buf != localbuf)
+        av_free(buf);
+    return ret;
 fail:
     if (buf != localbuf)
         av_free(buf);