On 11/4/24 9:59 PM, James Almer wrote:
On 11/4/2024 11:23 PM, Michael Niedermayer wrote:
Fixes: Use of uninitialised value of size 8
Odd, the only load op with dec->window appears to be 4 bytes.
Fixes: 368725676/clusterfuzz-testcase-minimized-
fuzzer_protocol_file-6022251122589696-cut
Fixes: 42537758/clusterfuzz-testcase-minimized-
fuzzer_protocol_file-5818969469026304-cut
Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/jpegxl_parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 8c45e1a1b73..179ca1170bd 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -847,7 +847,7 @@ static int read_distribution_bundle(GetBitContext
*gb, JXLEntropyDecoder *dec,
}
if (bundle->lz77_enabled && !dec->window) {
- dec->window = av_malloc_array(1 << 20, sizeof(uint32_t));
+ dec->window = calloc(1 << 20, sizeof(uint32_t));
av_calloc(). How did it not crash for you once it was freed by av_free?
Also, wouldn't this be hiding a bug? Reading memory that was expected to
be previously set.
It would be, as this is just a sliding LZ77 window. Reading
uninitialized bytes that weren't written is a bug. I'd be curious to see
the fuzz case so I could run it through valgrind and figure out why
that's happening.
This says reported by kacper, could you send me the fuzz testcase?
- Leo Izen (Traneptora)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
