avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif()

The buffer is read by using the bit reader Fixes: out of array read Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0a7c648e2d85a59975cc88079975cf9f3306ed0a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-11-24 00:22:39 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-02-20 14:21:24 +0100
commit: 8a88150ffcf4dd39e65d97811fcd6269f0306eb7 (patch)
tree: ab498f12e7faaa3e7c99717d35559be90793516a
parent: b81c4dd4f9c0eb5127b7dcbe862ea148958056de (diff)
download: ffmpeg-8a88150ffcf4dd39e65d97811fcd6269f0306eb7.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 703a98414d..309bb6573e 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -69,7 +69,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav)
         int ret = ffio_ensure_seekback(s->pb, len);
 
         if (ret >= 0) {
-            uint8_t *buf = av_malloc(len);
+            uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!buf) {
                 ret = AVERROR(ENOMEM);
             } else {
author	Michael Niedermayer <michael@niedermayer.cc>	2020-11-24 00:22:39 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-02-20 14:21:24 +0100
commit	8a88150ffcf4dd39e65d97811fcd6269f0306eb7 (patch)
tree	ab498f12e7faaa3e7c99717d35559be90793516a
parent	b81c4dd4f9c0eb5127b7dcbe862ea148958056de (diff)
download	ffmpeg-8a88150ffcf4dd39e65d97811fcd6269f0306eb7.tar.gz