From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 535D5401DE
	for <ffmpegdev@gitmailbox.com>; Fri, 16 Jan 2026 03:12:25 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'rw3vMrNqZqN7E/ytFZYeEsTfW0ST9aWwOsU965eqBa4=', expected 
   b'tTXA2rhYa8Pb3Wr4zvSkdY5ehC54gWzbQTOtzThOBho=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768533130; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=rw3vMrNqZqN7E/ytFZYeEsTfW0ST9aWwOsU965eqBa4=;
 b=2ND/qse7lcjJB/Wj0xXR3IqjZWRiTNeeXAfh30pWf+bz2VczDJ3ReDHv83rkARmDh23gB
 nDhIBLaNuQWYSSP/HecI4zUCyhbpFPwPVvWx+weF5vM++X0cT3FM+5xFvYskHdsbiIFoGy+
 9xtwpMaR+WI/URNDNWV9YmPZWqixgOhqoGRsSEMaNtg45IxJ+6gjRKBmAfejzmSepJNQQTp
 WqoO8UefhxdAHJs0AGRgRxpUThEDHo8yBWO8Zw94KUrwsey67HmwmkCu27nsNxpxgWy1HVT
 Y5Jdld+WSSjIo5AFdVfayYiTjUdlt385n301JNXAEw8e6S1+p2KTes8loP2A==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id AD3A4690E3D;
	Fri, 16 Jan 2026 05:12:10 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768533111;
 b=pEUm+nmHl6RvhPyNA67i1Q5kXearT2RRXWUa+0Y8p8MsD7XzTNaj2COVrYlFjCvpcdWhi
 wVc0GzzYm+VcWi2Gg/7mbJKosH0g+D4w4QBhC3bPxQ7OAVbV2GsOZnLT4p6wXZVl8fWOXqJ
 9HF2TnZ6j74x2nbDBdTcuvHQ6+Fr3Exmoc5OacGSy8JMP+pR7LuCIGytmqIvk9SSgzBDOi4
 Zw9oX8XDNWv5vNOypEtRTRPV8VtpuUZbpA7xSVCQpYGgruyDs0q34r2MZeYHc3SiWmh2XgW
 XTQYqY/o1nT/ERNSMk69icp6idnO6AqZHKEGEKbjMFISeshAT/Hh1kPd0hNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1768533111; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=JCwH6fnNG6L0Nd1en/kYcL+blMK8/if/O8Mrb/vwTrw=;
 b=TZuY8BLJV4RgMK5rzHey9c9mAP7eVGJHViisAecO2eHIyAntJK9KrqpVzEd/GygiKKpr/
 hSrO4egHGEhF9e+BA91EKA/RwgVN1gf6WLIKBkFzWXG7qSHhBlg1tvO9VipoSz/DTK7PRyK
 hCd9s7NgoUnRYhbg8FMRba+FESnUni9CWGJvsfyv4Q3OsnU4UhbZVgd1tM+Pads69cKdD21
 7fQR0BaGJiWwjEtEkeFuJImOul4SpX4+yifNDaAz6MVejs8Q60vSDRUwfOgA6kKGzVBKXku
 bXiPkGyaomin6TRgCfrDDENkjsDCSjLli5w1no2pSlwHpywtAyxBIJSoLXoA==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1768533102; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=tTXA2rhYa8Pb3Wr4zvSkdY5ehC54gWzbQTOtzThOBho=;
 b=pq18agj1CysnXD2d0FPcIlw37b5Q1791IMv0fGQyiw8qJ9X+RaCK5YXdnB1c2kDBL9jka
 ddeqLT346MA5La1D8fl4t1gP1tolh4zAJy2Dm4UUE8P1tHEPTrPZis7Pa0L8Ho2DGBqUoUY
 YjFriEB+FL08XswMtxVU00ZvpEuVCrBiBCGx4/AEE/f1onsIPMU6uZ2MX6lbUMS8zAL9xJO
 CLF+Z/5KxMKAi2WfosusUaaPN6dEIzSeeRC0aOGQBKmU6PotkarQHoCn5zJu5ea7L77fH3i
 ALVj1UN2DQkTmAZxw24KbTypRwH7Al0pAv064pS3d4Ohph0c7h5+0AT622lQ==
Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id F34B6690936
	for <ffmpeg-devel@ffmpeg.org>; Fri, 16 Jan 2026 05:11:41 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 16 Jan 2026 03:11:41 -0000
Message-ID: <176853310228.25.6706382609975770320@4457048688e7>
Message-ID-Hash: WPTJTKLQVJI6W77B5N4DXUVUQIFTWJJP
X-Message-ID-Hash: WPTJTKLQVJI6W77B5N4DXUVUQIFTWJJP
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avcodec/dxv: Clear tex_data padding on all reallocation
 (PR #21484)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/WPTJTKLQVJI6W77B5N4DXUVUQIFTWJJP/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176853310228.25.6706382609975770320@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176853310228.25.6706382609975770320@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21484 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21484
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21484.patch

The code previously cleared it on direct fast_realloc() but ff_lzf_uncompress() can also cause reallocation



>>From 38c03957438de1636219de2a3c77379a7cd3d66f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 16 Jan 2026 03:31:14 +0100
Subject: [PATCH 1/2] avcodec/lzf: Remove size messing from ff_lzf_uncompress()

size represents the output size
randomly changing it but not reseting it on errors leaks uninitialized memory.

Fixes: 475000819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5571269310611456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/lzf.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 8f223b1f42..5d6e9925d4 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -38,16 +38,15 @@
 #define LZF_LONG_BACKREF 7 + 2
 
 
-static inline int lzf_realloc(uint8_t **buf, size_t *size, int addition, unsigned *allocated_size)
+static inline int lzf_realloc(uint8_t **buf, size_t new_size, unsigned *allocated_size)
 {
-    void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
+    void *ptr = av_fast_realloc(*buf, allocated_size, new_size);
 
     if (!ptr) {
         av_freep(buf); //probably not needed
         return AVERROR(ENOMEM);
     }
     *buf = ptr;
-    *size += addition;
 
     return 0;
 }
@@ -63,8 +62,8 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned
 
         if (s < LZF_LITERAL_MAX) {
             s++;
-            if (s > *size - len) {
-                ret = lzf_realloc(buf, size, s, allocated_size);
+            if (s > *allocated_size - len) {
+                ret = lzf_realloc(buf, len + s, allocated_size);
                 if (ret < 0)
                     return ret;
                 p = *buf + len;
@@ -88,8 +87,8 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size, unsigned
             if (off > len)
                 return AVERROR_INVALIDDATA;
 
-            if (l > *size - len) {
-                ret = lzf_realloc(buf, size, l, allocated_size);
+            if (l > *allocated_size - len) {
+                ret = lzf_realloc(buf, len + l, allocated_size);
                 if (ret < 0)
                     return ret;
                 p = *buf + len;
-- 
2.52.0


>>From 3f446b56e73b948aade4f0c400ca1eca176b7832 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 16 Jan 2026 03:40:04 +0100
Subject: [PATCH 2/2] avcodec/dxv: Clear tex_data padding on reallocation

dxv assumes that newly reallocated memory in tex_data is not uninitialized
thus we have to do that too in case of reallocation in ff_lzf_uncompress()

Fixes: 475000819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5571269310611456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 07eee253e7..626dd75a33 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -828,7 +828,12 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
 static int dxv_decompress_lzf(AVCodecContext *avctx)
 {
     DXVContext *ctx = avctx->priv_data;
-    return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, &ctx->tex_data_size);
+    unsigned old_size = ctx->tex_data_size;
+    int ret = ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, &ctx->tex_data_size);
+    old_size = FFMAX(old_size, ctx->tex_size);
+    if (ctx->tex_data_size > old_size)
+        memset(ctx->tex_data + old_size, 0, ctx->tex_data_size - old_size);
+    return ret;
 }
 
 static int dxv_decompress_raw(AVCodecContext *avctx)
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org