[FFmpeg-devel] [PATCH] ff_lxf_uncompress realloc vs av_fast_realloc fix (PR #20280)

[FFmpeg-devel] [PATCH] ff_lxf_uncompress realloc vs av_fast_realloc fix (PR #20280)

[michaelni via ffmpeg-devel]

PR #20280 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280.patch

ff_lxf_uncompress() reallocates the array which we allocated with av_fast_realloc(), 
this patchset fixes this by adding av_fast_realloc() support to ff_lxf_uncompress()



From cee3985dd978103cab742b6cc5fa98aad9ad8608 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 19 Aug 2025 03:09:14 +0200
Subject: [PATCH 1/2] avcode: Use av_fast_realloc() in ff_lzf_uncompress()

Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Fixes: mixed up realloc() functions

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c     |  2 +-
 libavcodec/lzf.c     | 28 +++++++++++++++++++++++-----
 libavcodec/lzf.h     |  2 +-
 libavcodec/notchlc.c |  2 +-
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index dd82e450b1..b48ee76a88 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -828,7 +828,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
 static int dxv_decompress_lzf(AVCodecContext *avctx)
 {
     DXVContext *ctx = avctx->priv_data;
-    return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size);
+    return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, &ctx->tex_data_size);
 }
 
 static int dxv_decompress_raw(AVCodecContext *avctx)
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 94b369dd59..3e8780d599 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -37,7 +37,27 @@
 #define LZF_LITERAL_MAX (1 << 5)
 #define LZF_LONG_BACKREF 7 + 2
 
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
+
+static inline int lzf_realloc(uint8_t **buf, int64_t *size, int addition, unsigned *allocated_size)
+{
+    if (allocated_size) {
+        void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
+        if (!ptr) {
+            av_freep(buf); //probably not needed
+            return AVERROR(ENOMEM);
+        }
+        *buf = ptr;
+        *size += addition;
+
+        return 0;
+    } else {
+        //TODO remove this codepath after updating notchlc
+        *size += addition + *size / 2;
+        return av_reallocp(buf, *size);
+    }
+}
+
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, unsigned *allocated_size)
 {
     int ret     = 0;
     uint8_t *p  = *buf;
@@ -49,8 +69,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
         if (s < LZF_LITERAL_MAX) {
             s++;
             if (s > *size - len) {
-                *size += s + *size /2;
-                ret = av_reallocp(buf, *size);
+                ret = lzf_realloc(buf, size, s, allocated_size);
                 if (ret < 0)
                     return ret;
                 p = *buf + len;
@@ -75,8 +94,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 return AVERROR_INVALIDDATA;
 
             if (l > *size - len) {
-                *size += l + *size / 2;
-                ret = av_reallocp(buf, *size);
+                ret = lzf_realloc(buf, size, l, allocated_size);
                 if (ret < 0)
                     return ret;
                 p = *buf + len;
diff --git a/libavcodec/lzf.h b/libavcodec/lzf.h
index 0ad73d9f79..5a89b6a876 100644
--- a/libavcodec/lzf.h
+++ b/libavcodec/lzf.h
@@ -24,6 +24,6 @@
 
 #include "bytestream.h"
 
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size);
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, unsigned *allocated_size);
 
 #endif /* AVCODEC_LZF_H */
diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 246a3e0174..51a94660cd 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -490,7 +490,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
         return AVERROR_PATCHWELCOME;
 
     if (s->format == 0) {
-        ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size);
+        ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size, NULL);
         if (ret < 0)
             return ret;
 
-- 
2.49.1


From 19c8df9cc45d63361e578fa78c835712ea7b72a0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 19 Aug 2025 03:12:37 +0200
Subject: [PATCH 2/2] avcodec/dxv: Check coded_height, to avoid invalid
 av_clip()

Fixes: assertion failure
Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index b48ee76a88..c3fe5c5ab2 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -940,6 +940,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame,
         }
         break;
     }
+    if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+        return AVERROR_INVALIDDATA;
 
     texdsp_ctx.slice_count  = av_clip(avctx->thread_count, 1,
                                       avctx->coded_height / TEXTURE_BLOCK_H);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".