eessppeelllloo/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-04 06:39:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/diracdec: Enlarge mctmp to cover the worst-case blheight·ybsep + yblen rows, and break the MC loop when no output rows remain

Browse Source 
Fixes: ffmpeg_ANT-2026-02842_dirac-mctmp-heap-overflow

Discovered by Claude (Anthropic). Confirmed and reported by Thai Duong (Calif.io).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Thai Duong
2026-05-16 04:54:36 +02:00
committed by michaelni
parent dc74fe70b2
commit bbdce45fda
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/diracdec.c
+2 -2
View File
@@ -341,7 +341,7 @@ static int alloc_buffers(DiracContext *s, int stride)
s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
s->mctmp = av_malloc_array((stride+MAX_BLOCKSIZE), (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp));
s->mctmp = av_malloc_array((stride+MAX_BLOCKSIZE), (h + 5*MAX_BLOCKSIZE) * sizeof(*s->mctmp));
s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
if (!s->edge_emu_buffer_base || !s->mctmp || !s->mcscratch)
@@ -1944,7 +1944,7 @@ static int dirac_decode_frame_internal(DiracContext *s)
h = p->height - start;
else
h = p->ybsep - (start - dsty);
if (h < 0)
if (h <= 0)
break;
memset(mctmp+2*p->yoffset*p->stride, 0, 2*rowheight);