[FFmpeg-cvslog] [ffmpeg] 34/71: avcodec/diracdec: fix heap buffer overflow in edge_emu_buffer

[Anthony Hurtado via ffmpeg-cvslog]

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/5.1
in repository ffmpeg.

commit 1162a8890aa2d95ba4808bd33c4eb64b7c11055d
Author:     Anthony Hurtado <amhurt...@pm.me>
AuthorDate: Tue May 19 17:21:20 2026 -0500
Commit:     Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Sat Jun 13 19:20:56 2026 +0200

    avcodec/diracdec: fix heap buffer overflow in edge_emu_buffer
    
    Fixes: poc_dirac_v2_*
    (cherry picked from commit 495b402f275e1540dbeb7cca7579d6c1a3a725fa)
    Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 982b79f755..21d2f772b7 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -338,7 +338,7 @@ static int alloc_buffers(DiracContext *s, int stride)
     av_freep(&s->mctmp);
     av_freep(&s->mcscratch);
 
-    s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
+    s->edge_emu_buffer_base = av_malloc_array(stride, 4 * MAX_BLOCKSIZE);
 
     s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h + 
5*MAX_BLOCKSIZE) * sizeof(*s->mctmp));
     s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
@@ -1894,7 +1894,7 @@ static int dirac_decode_frame_internal(DiracContext *s)
 
         /* FIXME: small resolutions */
         for (i = 0; i < 4; i++)
-            s->edge_emu_buffer[i] = s->edge_emu_buffer_base + 
i*FFALIGN(p->width, 16);
+            s->edge_emu_buffer[i] = s->edge_emu_buffer_base + 
i*s->buffer_stride*MAX_BLOCKSIZE;
 
         if (!s->zero_res && !s->low_delay)
         {

_______________________________________________
ffmpeg-cvslog mailing list -- ffmpeg-cvslog@ffmpeg.org
To unsubscribe send an email to ffmpeg-cvslog-le...@ffmpeg.org