In f7ac3512f5b5cb8eb149f37300b43461d8e93af3 the size of the dynamically
allocated buffer was shrunk, but it was made too small for very small
alphabet sizes. This patch sets a minimum size to prevent an OOB read.
Reported-by: Cole Dilorenzo <coolkingc...@gmail.com>
Signed-off-by: Leo Izen <leo.i...@gmail.com>
---
libavcodec/jpegxl_parser.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index dde36b0d6e..e00e01e82b 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -726,8 +726,8 @@ static int read_vlc_prefix(GetBitContext *gb,
JXLEntropyDecoder *dec, JXLSymbolD
if (ret < 0)
goto end;
- buf = av_mallocz(dist->alphabet_size * (2 * sizeof(int8_t) +
sizeof(int16_t) + sizeof(uint32_t))
- + sizeof(uint32_t));
+ buf = av_mallocz(dist->alphabet_size * (2 * sizeof(int8_t) +
sizeof(int16_t))
+ + FFMAX(15, dist->alphabet_size + 1) * sizeof(uint32_t));
if (!buf) {
ret = AVERROR(ENOMEM);
goto end;
--
2.42.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
