Fixes: Timeout (17sec ->281ms) Fixes: 17833/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5638346914660352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/h2645_parse.c | 6 +++++- libavcodec/h2645_parse.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index ef6a6b4b4f..34c731430f 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -455,8 +455,12 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, if (pkt->nals_allocated < pkt->nb_nals + 1) { int new_size = pkt->nals_allocated + 1; - void *tmp = av_realloc_array(pkt->nals, new_size, sizeof(*pkt->nals)); + void *tmp; + if (new_size >= INT_MAX / sizeof(*pkt->nals)) + return AVERROR(ENOMEM); + + tmp = av_fast_realloc(pkt->nals, &pkt->nals_byte_allocated, new_size * sizeof(*pkt->nals)); if (!tmp) return AVERROR(ENOMEM); diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 2c29ca517c..0ac2b1bd9d 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -78,6 +78,7 @@ typedef struct H2645Packet { H2645RBSP rbsp; int nb_nals; int nals_allocated; + unsigned nals_byte_allocated; } H2645Packet; /** -- 2.23.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
