GitList

Browse code

avformat/flac_picture: allocate buffer padding for picture

Fixes: heap array overread
Fixes: asan_heap-oob_14876d9_4706_cov_815472558_cover_art.flac
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Michael Niedermayer authored on 2014/02/01 01:21:32
Showing 1 changed files

libavformat/flac_picture.c index 12d73e4..a58b305 100644

libavformat/flac_picture.c

History View file @ fff2953

@@ -107,7 +107,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
             ret = AVERROR_INVALIDDATA;
         goto fail;
     }
-    if (!(data = av_buffer_alloc(len))) {
+    if (!(data = av_buffer_alloc(len + FF_INPUT_BUFFER_PADDING_SIZE))) {
         RETURN_ERROR(AVERROR(ENOMEM));
     }
     if (avio_read(pb, data->data, len) != len) {

...	...	@@ -107,7 +107,7 @@ int ff_flac_parse_picture(AVFormatContext s, uint8_t buf, int buf_size)
107	107	ret = AVERROR_INVALIDDATA;
108	108	goto fail;
109	109	}
110		- if (!(data = av_buffer_alloc(len))) {
	110	+ if (!(data = av_buffer_alloc(len + FF_INPUT_BUFFER_PADDING_SIZE))) {
111	111	RETURN_ERROR(AVERROR(ENOMEM));
112	112	}
113	113	if (avio_read(pb, data->data, len) != len) {