In f7ac3512f5b5cb8eb149f37300b43461d8e93af3 the size of the dynamically allocated buffer was shrunk, but it was made too small for very small alphabet sizes. This patch sets a minimum size to prevent an OOB read.
Reported-by: Cole Dilorenzo <coolkingc...@gmail.com> Signed-off-by: Leo Izen <leo.i...@gmail.com> --- libavcodec/jpegxl_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index dde36b0d6e..e00e01e82b 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -726,8 +726,8 @@ static int read_vlc_prefix(GetBitContext *gb, JXLEntropyDecoder *dec, JXLSymbolD if (ret < 0) goto end; - buf = av_mallocz(dist->alphabet_size * (2 * sizeof(int8_t) + sizeof(int16_t) + sizeof(uint32_t)) - + sizeof(uint32_t)); + buf = av_mallocz(dist->alphabet_size * (2 * sizeof(int8_t) + sizeof(int16_t)) + + FFMAX(15, dist->alphabet_size + 1) * sizeof(uint32_t)); if (!buf) { ret = AVERROR(ENOMEM); goto end; -- 2.42.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".