In f7ac3512f5b5cb8eb149f37300b43461d8e93af3 the size of the dynamically
allocated buffer was shrunk, but it was made too small for very small
alphabet sizes. This patch sets a minimum size to prevent an OOB read.

Reported-by: Cole Dilorenzo <coolkingc...@gmail.com>
Signed-off-by: Leo Izen <leo.i...@gmail.com>
---
 libavcodec/jpegxl_parser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index dde36b0d6e..e00e01e82b 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -726,8 +726,8 @@ static int read_vlc_prefix(GetBitContext *gb, 
JXLEntropyDecoder *dec, JXLSymbolD
     if (ret < 0)
         goto end;
 
-    buf = av_mallocz(dist->alphabet_size * (2 * sizeof(int8_t) + 
sizeof(int16_t) + sizeof(uint32_t))
-                     + sizeof(uint32_t));
+    buf = av_mallocz(dist->alphabet_size * (2 * sizeof(int8_t) + 
sizeof(int16_t))
+        + FFMAX(15, dist->alphabet_size + 1) * sizeof(uint32_t));
     if (!buf) {
         ret = AVERROR(ENOMEM);
         goto end;
-- 
2.42.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to