avcodec/sanm: Eliminate reference into reallocated frame

AFAIK the original decoder uses the frame buffers in very strange ways our implementation seems to mimic that and that results in the bitstream input to point into a frame buffer while code then parses that and potentially reallocates the frame buffer leaving pointers hanging into dealllocated space This simply uses a temporary buffer Fixes: Writing into freed buffers Fixes: BIGSLEEP-440183164/old_codec21.anim Fixes: BIGSLEEP-440183164/old_codec4.anim Found-by: Google Big Sleep Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-10-06 05:47:18 +02:00 · 2025-08-21 19:06:03 +02:00
parent d4e28917af
commit c41a70b6bb
1 changed files with 6 additions and 1 deletions
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1847,8 +1847,13 @@ static int process_ftch(SANMVideoContext *ctx, int size)
        *(int16_t *)(sf + 4 + 4) = av_le2ne16(top  + yoff);

        /* decode the stored FOBJ */
-        bytestream2_init(&gb, sf + 4, sz);
+        uint8_t *bitstream = av_malloc(sz + AV_INPUT_BUFFER_PADDING_SIZE);
+        if (!bitstream)
+            return AVERROR(ENOMEM);
+        memcpy(bitstream, sf + 4, sz);
+        bytestream2_init(&gb, bitstream, sz);
        ret = process_frame_obj(ctx, &gb);
+        av_free(bitstream);

        /* now restore the original left/top values again */
        *(int16_t *)(sf + 4 + 2) = av_le2ne16(left);