[FFmpeg-cvslog] [ffmpeg] 117/127: avcodec/rasc: fix heap use-after-free in decode_move()

Tue, 05 May 2026 10:46:23 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/4.4
in repository ffmpeg.

commit 88580e69b82d0c005b30464178c95fd5fd110105
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Fri May 1 20:31:57 2026 +0200
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Tue May 5 18:55:15 2026 +0200

    avcodec/rasc: fix heap use-after-free in decode_move()
    
    Use a separate scratch buffer (s->mv_scratch) for the type-0 pixel
    copy so s->delta and mc are not disturbed for the lifetime of
    decode_move().  The new buffer is freed in decode_close().
    
    Found-by: Seung Min Shin
    Patch based on suggsted fix by Seung Min Shin
    
    Signed-off-by: Michael Niedermayer <[email protected]>
    (cherry picked from commit 2f60af465ad78ae4be85e0bbde4067846d80b582)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/rasc.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c
index 5ed1333886..b5ef9b78e1 100644
--- a/libavcodec/rasc.c
+++ b/libavcodec/rasc.c
@@ -51,6 +51,8 @@ typedef struct RASCContext {
     GetByteContext  gb;
     uint8_t        *delta;
     int             delta_size;
+    uint8_t        *mv_scratch;
+    unsigned int    mv_scratch_size;
     uint8_t        *cursor;
     int             cursor_size;
     unsigned        cursor_w;
@@ -293,10 +295,8 @@ static int decode_move(AVCodecContext *avctx,
                 b2 -= s->frame2->linesize[0];
             }
         } else if (type == 0) {
-            uint8_t *buffer;
-
-            av_fast_padded_malloc(&s->delta, &s->delta_size, w * h * s->bpp);
-            buffer = s->delta;
+            av_fast_padded_malloc(&s->mv_scratch, &s->mv_scratch_size, w * h * 
s->bpp);
+            uint8_t *buffer = s->mv_scratch;
             if (!buffer)
                 return AVERROR(ENOMEM);
 
@@ -779,6 +779,8 @@ static av_cold int decode_close(AVCodecContext *avctx)
     s->cursor_size = 0;
     av_freep(&s->delta);
     s->delta_size = 0;
+    av_freep(&s->mv_scratch);
+    s->mv_scratch_size = 0;
     av_frame_free(&s->frame1);
     av_frame_free(&s->frame2);
     inflateEnd(&s->zstream);

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to