lzf: update pointer p after realloc
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fri, 4 Nov 2016 21:58:49 +0000 (22:58 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Thu, 17 Nov 2016 22:13:19 +0000 (23:13 +0100)
This fixes heap-use-after-free detected by AddressSanitizer.

Reviewed-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb6a7b6f75ac544c956e3eefee297700ef4d3468)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/lzf.c

index 409a7ff..5b7526e 100644 (file)
@@ -53,6 +53,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 ret = av_reallocp(buf, *size);
                 if (ret < 0)
                     return ret;
+                p = *buf + len;
             }
 
             bytestream2_get_buffer(gb, p, s);
@@ -75,6 +76,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 ret = av_reallocp(buf, *size);
                 if (ret < 0)
                     return ret;
+                p = *buf + len;
             }
 
             av_memcpy_backptr(p, off, l);