RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/tiff: Use av_fast_padded_malloc() in tiff_unpack_fax() 

Fixes: Timeout
Fixes: 1213/clusterfuzz-testcase-minimized-6022987469815808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-06-03 23:57:58 +02:00
parent 361e0310d9
commit 9221445fa0
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/tiff.c
View File

@ -74,6 +74,8 @@ typedef struct TiffContext {
int deinvert_buf_size; int deinvert_buf_size;
uint8_t *yuv_line; uint8_t *yuv_line;
unsigned int yuv_line_size; unsigned int yuv_line_size;
uint8_t *fax_buffer;
unsigned int fax_buffer_size;
int geotag_count; int geotag_count;
TiffGeoTag *geotags; TiffGeoTag *geotags;
@ -452,8 +454,10 @@ static int tiff_unpack_fax(TiffContext *s, uint8_t *dst, int stride,
{ {
int i, ret = 0; int i, ret = 0;
int line; int line;
uint8_t *src2 = av_malloc((unsigned)size + uint8_t *src2;
AV_INPUT_BUFFER_PADDING_SIZE);
av_fast_padded_malloc(&s->fax_buffer, &s->fax_buffer_size, size);
src2 = s->fax_buffer;
if (!src2) { if (!src2) {
av_log(s->avctx, AV_LOG_ERROR, av_log(s->avctx, AV_LOG_ERROR,
@ -475,7 +479,6 @@ static int tiff_unpack_fax(TiffContext *s, uint8_t *dst, int stride,
horizontal_fill(s->bpp, dst, 1, dst, 0, width, 0); horizontal_fill(s->bpp, dst, 1, dst, 0, width, 0);
dst += stride; dst += stride;
} }
av_free(src2);
return ret; return ret;
} }
@ -1408,6 +1411,8 @@ static av_cold int tiff_end(AVCodecContext *avctx)
ff_lzw_decode_close(&s->lzw); ff_lzw_decode_close(&s->lzw);
av_freep(&s->deinvert_buf); av_freep(&s->deinvert_buf);
av_freep(&s->fax_buffer);
s->fax_buffer_size = 0;
return 0; return 0;
} }