avformat/swfdec: Allocate output buffer after reading input

Fixes: Timeout (>10sec -> 0.26sec)
Fixes: 27419/clusterfuzz-testcase-minimized-ffmpeg_dem_SWF_fuzzer-5678307361947648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 10 insertions, 3 deletions

diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c
index fa11c050cd..1463f0ad4d 100644
--- a/libavformat/swfdec.c
+++ b/libavformat/swfdec.c
@@ -368,14 +368,21 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
                     ch_id, bmp_fmt, width, height, linesize, len, out_len, colormapsize);
 
             zbuf = av_malloc(len);
-            buf  = av_malloc(out_len);
-            if (!zbuf || !buf) {
+            if (!zbuf) {
                 res = AVERROR(ENOMEM);
                 goto bitmap_end;
             }
 
             len = avio_read(pb, zbuf, len);
-            if (len < 0 || (res = uncompress(buf, &out_len, zbuf, len)) != Z_OK) {
+            if (len < 0)
+                goto bitmap_end_skip;
+
+            buf  = av_malloc(out_len);
+            if (!buf) {
+                res = AVERROR(ENOMEM);
+                goto bitmap_end;
+            }
+            if ((res = uncompress(buf, &out_len, zbuf, len)) != Z_OK) {
                 av_log(s, AV_LOG_WARNING, "Failed to uncompress one bitmap\n");
                 goto bitmap_end_skip;
             }