This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.3 in repository ffmpeg.
commit 01d5c4014319ce804a4eb01359779330f86c45e4 Author: Jiasheng Jiang <[email protected]> AuthorDate: Thu Jul 10 16:26:39 2025 +0000 Commit: James Almer <[email protected]> CommitDate: Fri Jan 2 21:58:51 2026 +0000 libavcodec/alsdec.c: Add check for av_malloc_array() and av_calloc() Add check for the return value of av_malloc_array() and av_calloc() to avoid potential NULL pointer dereference. Backport comment: In v5.1 and newer, av_calloc is used, but in v4.3 we had av_mallocz_array, but it's susceptible to ENOMEM just the same. Fixes: CVE-2025-7700 Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding") Signed-off-by: Jiasheng Jiang <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07) Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e) Signed-off-by: Carlos Henrique Lima Melara <[email protected]> --- libavcodec/alsdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index fd2f6f022f..6f03c6508d 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2116,8 +2116,8 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->nbits = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits)); ctx->mlz = av_mallocz(sizeof(*ctx->mlz)); - if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value - || !ctx->last_acf_mantissa || !ctx->raw_mantissa) { + if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value + || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); ret = AVERROR(ENOMEM); goto fail; @@ -2128,6 +2128,10 @@ static av_cold int decode_init(AVCodecContext *avctx) for (c = 0; c < avctx->channels; ++c) { ctx->raw_mantissa[c] = av_mallocz_array(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa)); + if (!ctx->raw_mantissa[c]) { + av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); + return AVERROR(ENOMEM); + } } } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
