From 2be51d14f278c1c207becafed0db20cbc4e89f55 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 16 Oct 2020 09:30:39 +0200
Subject: avformat/av1dec: Fix padding in obu_get_packet()

Fixes: stack buffer overflow (read)
Fixes: 26369/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5721057325219840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/av1dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavformat')

diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c
index 10c4560968..395eef6522 100644
--- a/libavformat/av1dec.c
+++ b/libavformat/av1dec.c
@@ -382,7 +382,7 @@ static int obu_read_header(AVFormatContext *s)
 static int obu_get_packet(AVFormatContext *s, AVPacket *pkt)
 {
     ObuContext *c = s->priv_data;
-    uint8_t header[MAX_OBU_HEADER_SIZE];
+    uint8_t header[MAX_OBU_HEADER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE];
     int64_t obu_size;
     int size = av_fifo_space(c->fifo);
     int ret, len, type;
-- 
cgit v1.2.3