| Message ID | 8c8bca25-2d80-0c33-6990-fb3ac474bd68@googlemail.com |
|---|---|
| State | Accepted |
| Commit | 43de8b328b62cf21ec176c3989065168da471a5f |
| Headers | show |
On 05.11.2016 01:36, Luca Barbato wrote: > On 04/11/2016 23:33, Andreas Cadhalpun wrote: >> This fixes heap-use-after-free detected by AddressSanitizer. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/lzf.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c >> index 409a7ff..5b7526e 100644 >> --- a/libavcodec/lzf.c >> +++ b/libavcodec/lzf.c >> @@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) >> ret = av_reallocp(buf, *size); >> if (ret < 0) >> return ret; >> + p = *buf + len; >> } >> >> bytestream2_get_buffer(gb, p, s); >> @@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) >> ret = av_reallocp(buf, *size); >> if (ret < 0) >> return ret; >> + p = *buf + len; >> } >> >> av_memcpy_backptr(p, off, l); >> > > Looks good, thank you! Pushed. Best regards, Andreas
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 409a7ff..5b7526e 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } bytestream2_get_buffer(gb, p, s); @@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) ret = av_reallocp(buf, *size); if (ret < 0) return ret; + p = *buf + len; } av_memcpy_backptr(p, off, l);
This fixes heap-use-after-free detected by AddressSanitizer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/lzf.c | 2 ++ 1 file changed, 2 insertions(+)