avcodec/sanm: Eliminate reference into reallocated frame

AFAIK the original decoder uses the frame buffers in very strange ways
our implementation seems to mimic that and that results in the
bitstream input to point into a frame buffer while code then
parses that and potentially reallocates the frame buffer
leaving pointers hanging into dealllocated space

This simply uses a temporary buffer

Fixes: Writing into freed buffers
Fixes: BIGSLEEP-440183164/old_codec21.anim
Fixes: BIGSLEEP-440183164/old_codec4.anim

Found-by: Google Big Sleep

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 6 insertions, 1 deletions

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 28fdcb3659..051acc9057 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1847,8 +1847,13 @@ static int process_ftch(SANMVideoContext *ctx, int size)
         *(int16_t *)(sf + 4 + 4) = av_le2ne16(top  + yoff);
 
         /* decode the stored FOBJ */
-        bytestream2_init(&gb, sf + 4, sz);
+        uint8_t *bitstream = av_malloc(sz + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (!bitstream)
+            return AVERROR(ENOMEM);
+        memcpy(bitstream, sf + 4, sz);
+        bytestream2_init(&gb, bitstream, sz);
         ret = process_frame_obj(ctx, &gb);
+        av_free(bitstream);
 
         /* now restore the original left/top values again */
         *(int16_t *)(sf + 4 + 2) = av_le2ne16(left);