avcodec/diracdec: fix heap buffer overflow in edge_emu_buffer
authorAnthony Hurtado <amhurtado@pm.me>
Tue, 19 May 2026 22:21:20 +0000 (17:21 -0500)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 Jun 2026 02:59:08 +0000 (04:59 +0200)
Fixes: poc_dirac_v2_*
(cherry picked from commit 495b402f275e1540dbeb7cca7579d6c1a3a725fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/diracdec.c

index 2a047c0bb9cda41d17e5db901fb058029152b82f..a4a719aa8e2b3bce274b9d8d7b668199d8bed2e6 100644 (file)
@@ -339,7 +339,7 @@ static int alloc_buffers(DiracContext *s, int stride)
     av_freep(&s->mctmp);
     av_freep(&s->mcscratch);
 
-    s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE);
+    s->edge_emu_buffer_base = av_malloc_array(stride, 4 * MAX_BLOCKSIZE);
 
     s->mctmp     = av_malloc_array((stride+MAX_BLOCKSIZE), (h + 5*MAX_BLOCKSIZE) * sizeof(*s->mctmp));
     s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE);
@@ -1895,7 +1895,7 @@ static int dirac_decode_frame_internal(DiracContext *s)
 
         /* FIXME: small resolutions */
         for (i = 0; i < 4; i++)
-            s->edge_emu_buffer[i] = s->edge_emu_buffer_base + i*FFALIGN(p->width, 16);
+            s->edge_emu_buffer[i] = s->edge_emu_buffer_base + i*s->buffer_stride*MAX_BLOCKSIZE;
 
         if (!s->zero_res && !s->low_delay)
         {