avcodec/mscc: move frame allocates to later

Fixes: Timeout Fixes: 66964/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SRGC_fuzzer-5413170363564032 Fixes: 69373/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSCC_fuzzer-5239787748392960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-03-20 23:48:24 +01:00 · 2024-03-20 23:48:24 +01:00 · 664fbfb9ac
parent b248dace92
commit 664fbfb9ac
1 changed files with 21 additions and 22 deletions
--- a/libavcodec/mscc.c
+++ b/libavcodec/mscc.c
@ -149,28 +149,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
    if (avpkt->size < 3)
        return buf_size;

-    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
-        return ret;
-
-    if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
-        size_t size;
-        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
-
-        if (pal && size == AVPALETTE_SIZE) {
-#if FF_API_PALETTE_HAS_CHANGED
-FF_DISABLE_DEPRECATION_WARNINGS
-            frame->palette_has_changed = 1;
-FF_ENABLE_DEPRECATION_WARNINGS
-#endif
-            for (j = 0; j < 256; j++)
-                s->pal[j] = 0xFF000000 | AV_RL32(pal + j * 4);
-        } else if (pal) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Palette size %"SIZE_SPECIFIER" is wrong\n", size);
-        }
-        memcpy(frame->data[1], s->pal, AVPALETTE_SIZE);
-    }
-
    ret = inflateReset(zstream);
    if (ret != Z_OK) {
        av_log(avctx, AV_LOG_ERROR, "Inflate reset error: %d\n", ret);
@ -198,6 +176,27 @@ inflate_error:
        av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret);
        return AVERROR_UNKNOWN;
    }
+    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+        return ret;
+
+    if (avctx->pix_fmt == AV_PIX_FMT_PAL8) {
+        size_t size;
+        const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size);
+
+        if (pal && size == AVPALETTE_SIZE) {
+#if FF_API_PALETTE_HAS_CHANGED
+FF_DISABLE_DEPRECATION_WARNINGS
+            frame->palette_has_changed = 1;
+FF_ENABLE_DEPRECATION_WARNINGS
+#endif
+            for (j = 0; j < 256; j++)
+                s->pal[j] = 0xFF000000 | AV_RL32(pal + j * 4);
+        } else if (pal) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Palette size %"SIZE_SPECIFIER" is wrong\n", size);
+        }
+        memcpy(frame->data[1], s->pal, AVPALETTE_SIZE);
+    }

    bytestream2_init(&gb, s->decomp_buf, zstream->total_out);
    bytestream2_init_writer(&pb, s->uncomp_buf, s->uncomp_size);