avcodec/snowdec: Maintain avmv buffer

This avoids reallocating per frame

Fixes: Assertion failure
Fixes: 36359/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6733238591684608
Fixes: 38623/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6098656512573440

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavcodec/snow.h

@@ -186,6 +186,7 @@ typedef struct SnowContext{
     uint8_t *emu_edge_buffer;
 
     AVMotionVector *avmv;
+    unsigned avmv_size;
     int avmv_index;
     uint64_t encoding_error[AV_NUM_DATA_POINTERS];
 

libavcodec/snowdec.c

@@ -492,9 +492,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                s->spatial_decomposition_count
               );
 
-    av_assert0(!s->avmv);
     if (s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_MVS) {
-        s->avmv = av_malloc_array(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2));
+        size_t size;
+        res = av_size_mult(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2), &size);
+        if (res)
+            return res;
+        av_fast_malloc(&s->avmv, &s->avmv_size, size);
+        if (!s->avmv)
+            return AVERROR(ENOMEM);
+    } else {
+        s->avmv_size = 0;
+        av_freep(&s->avmv);
     }
     s->avmv_index = 0;
 
@@ -623,8 +631,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         memcpy(sd->data, s->avmv, s->avmv_index * sizeof(AVMotionVector));
     }
 
-    av_freep(&s->avmv);
-
     if (res < 0)
         return res;
 
@@ -644,6 +650,9 @@ static av_cold int decode_end(AVCodecContext *avctx)
 
     ff_snow_common_end(s);
 
+    s->avmv_size = 0;
+    av_freep(&s->avmv);
+
     return 0;
 }