PR #20280 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280.patch
ff_lxf_uncompress() reallocates the array which we allocated with av_fast_realloc(), this patchset fixes this by adding av_fast_realloc() support to ff_lxf_uncompress() >From cee3985dd978103cab742b6cc5fa98aad9ad8608 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <mich...@niedermayer.cc> Date: Tue, 19 Aug 2025 03:09:14 +0200 Subject: [PATCH 1/2] avcode: Use av_fast_realloc() in ff_lzf_uncompress() Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200 Fixes: mixed up realloc() functions Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/dxv.c | 2 +- libavcodec/lzf.c | 28 +++++++++++++++++++++++----- libavcodec/lzf.h | 2 +- libavcodec/notchlc.c | 2 +- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index dd82e450b1..b48ee76a88 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -828,7 +828,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx) static int dxv_decompress_lzf(AVCodecContext *avctx) { DXVContext *ctx = avctx->priv_data; - return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size); + return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, &ctx->tex_data_size); } static int dxv_decompress_raw(AVCodecContext *avctx) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 94b369dd59..3e8780d599 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -37,7 +37,27 @@ #define LZF_LITERAL_MAX (1 << 5) #define LZF_LONG_BACKREF 7 + 2 -int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) + +static inline int lzf_realloc(uint8_t **buf, int64_t *size, int addition, unsigned *allocated_size) +{ + if (allocated_size) { + void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition); + if (!ptr) { + av_freep(buf); //probably not needed + return AVERROR(ENOMEM); + } + *buf = ptr; + *size += addition; + + return 0; + } else { + //TODO remove this codepath after updating notchlc + *size += addition + *size / 2; + return av_reallocp(buf, *size); + } +} + +int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, unsigned *allocated_size) { int ret = 0; uint8_t *p = *buf; @@ -49,8 +69,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) if (s < LZF_LITERAL_MAX) { s++; if (s > *size - len) { - *size += s + *size /2; - ret = av_reallocp(buf, *size); + ret = lzf_realloc(buf, size, s, allocated_size); if (ret < 0) return ret; p = *buf + len; @@ -75,8 +94,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) return AVERROR_INVALIDDATA; if (l > *size - len) { - *size += l + *size / 2; - ret = av_reallocp(buf, *size); + ret = lzf_realloc(buf, size, l, allocated_size); if (ret < 0) return ret; p = *buf + len; diff --git a/libavcodec/lzf.h b/libavcodec/lzf.h index 0ad73d9f79..5a89b6a876 100644 --- a/libavcodec/lzf.h +++ b/libavcodec/lzf.h @@ -24,6 +24,6 @@ #include "bytestream.h" -int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size); +int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, unsigned *allocated_size); #endif /* AVCODEC_LZF_H */ diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 246a3e0174..51a94660cd 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -490,7 +490,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_PATCHWELCOME; if (s->format == 0) { - ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size); + ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size, NULL); if (ret < 0) return ret; -- 2.49.1 >From 19c8df9cc45d63361e578fa78c835712ea7b72a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <mich...@niedermayer.cc> Date: Tue, 19 Aug 2025 03:12:37 +0200 Subject: [PATCH 2/2] avcodec/dxv: Check coded_height, to avoid invalid av_clip() Fixes: assertion failure Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/dxv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index b48ee76a88..c3fe5c5ab2 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -940,6 +940,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame, } break; } + if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1) + return AVERROR_INVALIDDATA; texdsp_ctx.slice_count = av_clip(avctx->thread_count, 1, avctx->coded_height / TEXTURE_BLOCK_H); -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
