avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif()

The buffer is read by using the bit reader Fixes: out of array read Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0a7c648e2d85a59975cc88079975cf9f3306ed0a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-11-24 00:22:39 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-09-11 21:23:49 +0200
commit: 5bd10bb5f6abab4872ef648d409f5a28609fa671 (patch)
tree: c682167254f3590056afb0d9e76d55e1c516a6b2
parent: 73c963692e78a7f15bfa09f19cf2f86860fb36fc (diff)
download: ffmpeg-5bd10bb5f6abab4872ef648d409f5a28609fa671.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index ad72ad0622..ef0c6b374c 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -68,7 +68,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav)
         int ret = ffio_ensure_seekback(s->pb, len);
 
         if (ret >= 0) {
-            uint8_t *buf = av_malloc(len);
+            uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!buf) {
                 ret = AVERROR(ENOMEM);
             } else {
author	Michael Niedermayer <michael@niedermayer.cc>	2020-11-24 00:22:39 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-09-11 21:23:49 +0200
commit	5bd10bb5f6abab4872ef648d409f5a28609fa671 (patch)
tree	c682167254f3590056afb0d9e76d55e1c516a6b2
parent	73c963692e78a7f15bfa09f19cf2f86860fb36fc (diff)
download	ffmpeg-5bd10bb5f6abab4872ef648d409f5a28609fa671.tar.gz