On 10/5/2019 6:41 PM, Michael Niedermayer wrote: > Fixes: Timeout (17sec ->281ms) > Fixes: > 17833/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5638346914660352 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/h2645_parse.c | 6 +++++- > libavcodec/h2645_parse.h | 1 + > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c > index ef6a6b4b4f..34c731430f 100644 > --- a/libavcodec/h2645_parse.c > +++ b/libavcodec/h2645_parse.c > @@ -455,8 +455,12 @@ int ff_h2645_packet_split(H2645Packet *pkt, const > uint8_t *buf, int length, > > if (pkt->nals_allocated < pkt->nb_nals + 1) { > int new_size = pkt->nals_allocated + 1; > - void *tmp = av_realloc_array(pkt->nals, new_size, > sizeof(*pkt->nals)); > + void *tmp; > > + if (new_size >= INT_MAX / sizeof(*pkt->nals)) > + return AVERROR(ENOMEM); > + > + tmp = av_fast_realloc(pkt->nals, &pkt->nals_byte_allocated, > new_size * sizeof(*pkt->nals)); > if (!tmp) > return AVERROR(ENOMEM); > > diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h > index 2c29ca517c..0ac2b1bd9d 100644 > --- a/libavcodec/h2645_parse.h > +++ b/libavcodec/h2645_parse.h > @@ -78,6 +78,7 @@ typedef struct H2645Packet { > H2645RBSP rbsp; > int nb_nals; > int nals_allocated; > + unsigned nals_byte_allocated;
Maybe nal_buffer_size instead. LGTM either way. > } H2645Packet; > > /** > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".