avcodec/ivi: Allocate bufs later

Fixes: Timeout (24sec->2sec) Fixes: 15951/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5095433266790400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-08-14 02:28:09 +0300
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-08-29 16:57:54 +0300
commit: 15a65c13e18464fa3077812f0a21131dcf7830cb (patch)
tree: 41fe4f749c829506d5b32675b66723a6ed1a0d0c /libavcodec/ivi.c
parent: ba823394f65a5179cc338fc72e37ee7f48c5dac0 (diff)
1 files changed, 20 insertions, 19 deletions
diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c
index 73fcf51b7b..18192cbf23 100644
--- a/libavcodec/ivi.c
+++ b/libavcodec/ivi.c
@@ -354,23 +354,11 @@ av_cold int ff_ivi_init_planes(AVCodecContext *avctx, IVIPlaneDesc *planes, cons
             band->height   = b_height;
             band->pitch    = width_aligned;
             band->aheight  = height_aligned;
-            band->bufs[0]  = av_mallocz(buf_size);
-            band->bufs[1]  = av_mallocz(buf_size);
+            av_assert0(!band->bufs[0] && !band->bufs[1] &&
+                       !band->bufs[2] && !band->bufs[3]);
             band->bufsize  = buf_size/2;
-            if (!band->bufs[0] || !band->bufs[1])
-                return AVERROR(ENOMEM);
+            av_assert0(buf_size % 2 == 0);
 
-            /* allocate the 3rd band buffer for scalability mode */
-            if (cfg->luma_bands > 1) {
-                band->bufs[2] = av_mallocz(buf_size);
-                if (!band->bufs[2])
-                    return AVERROR(ENOMEM);
-            }
-            if (is_indeo4) {
-                band->bufs[3]  = av_mallocz(buf_size);
-                if (!band->bufs[3])
-                    return AVERROR(ENOMEM);
-            }
             /* reset custom vlc */
             planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0;
         }
@@ -945,6 +933,15 @@ static void ivi_output_plane(IVIPlaneDesc *plane, uint8_t *dst, ptrdiff_t dst_pi
     }
 }
 
+static void *prepare_buf(IVI45DecContext *ctx, IVIBandDesc *band, int i)
+{
+    if (ctx->pic_conf.luma_bands <= 1 && i == 2)
+        return NULL;
+    if (!band->bufs[i])
+        band->bufs[i] = av_mallocz(2 * band->bufsize);
+    return band->bufs[i];
+}
+
 /**
  *  Decode an Indeo 4 or 5 band.
  *
@@ -959,18 +956,22 @@ static int decode_band(IVI45DecContext *ctx,
     int         result, i, t, idx1, idx2, pos;
     IVITile     *tile;
 
-    band->buf     = band->bufs[ctx->dst_buf];
+    band->buf     = prepare_buf(ctx, band, ctx->dst_buf);
     if (!band->buf) {
         av_log(avctx, AV_LOG_ERROR, "Band buffer points to no data!\n");
         return AVERROR_INVALIDDATA;
     }
     if (ctx->is_indeo4 && ctx->frame_type == IVI4_FRAMETYPE_BIDIR) {
-        band->ref_buf   = band->bufs[ctx->b_ref_buf];
-        band->b_ref_buf = band->bufs[ctx->ref_buf];
+        band->ref_buf   = prepare_buf(ctx, band, ctx->b_ref_buf);
+        band->b_ref_buf = prepare_buf(ctx, band, ctx->ref_buf);
+        if (!band->b_ref_buf)
+            return AVERROR(ENOMEM);
     } else {
-        band->ref_buf   = band->bufs[ctx->ref_buf];
+        band->ref_buf   = prepare_buf(ctx, band, ctx->ref_buf);
         band->b_ref_buf = 0;
     }
+    if (!band->ref_buf)
+        return AVERROR(ENOMEM);
     band->data_ptr  = ctx->frame_data + (get_bits_count(&ctx->gb) >> 3);
 
     result = ctx->decode_band_hdr(ctx, band, avctx);
author	Michael Niedermayer <michael@niedermayer.cc>	2019-08-14 02:28:09 +0300
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-08-29 16:57:54 +0300
commit	15a65c13e18464fa3077812f0a21131dcf7830cb (patch)
tree	41fe4f749c829506d5b32675b66723a6ed1a0d0c /libavcodec/ivi.c
parent	ba823394f65a5179cc338fc72e37ee7f48c5dac0 (diff)