Commit af70bfbe authored by James Almer's avatar James Almer

avcodec/h2645_parse: zero initialize the rbsp buffer

Fixes ticket #8093
Reviewed-by: 's avatarAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: 's avatarJames Almer <jamrial@gmail.com>
parent 0821bc4e
...@@ -345,13 +345,18 @@ static int find_next_start_code(const uint8_t *buf, const uint8_t *next_avc) ...@@ -345,13 +345,18 @@ static int find_next_start_code(const uint8_t *buf, const uint8_t *next_avc)
static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref)
{ {
int min_size = size;
if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
goto fail; goto fail;
size += AV_INPUT_BUFFER_PADDING_SIZE; size += AV_INPUT_BUFFER_PADDING_SIZE;
if (rbsp->rbsp_buffer_alloc_size >= size && if (rbsp->rbsp_buffer_alloc_size >= size &&
(!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) {
av_assert0(rbsp->rbsp_buffer);
memset(rbsp->rbsp_buffer + min_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
return; return;
}
size = FFMIN(size + size / 16 + 32, INT_MAX); size = FFMIN(size + size / 16 + 32, INT_MAX);
...@@ -360,7 +365,7 @@ static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) ...@@ -360,7 +365,7 @@ static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref)
else else
av_free(rbsp->rbsp_buffer); av_free(rbsp->rbsp_buffer);
rbsp->rbsp_buffer = av_malloc(size); rbsp->rbsp_buffer = av_mallocz(size);
if (!rbsp->rbsp_buffer) if (!rbsp->rbsp_buffer)
goto fail; goto fail;
rbsp->rbsp_buffer_alloc_size = size; rbsp->rbsp_buffer_alloc_size = size;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment