avformat/av1dec: Fix padding in obu_get_packet()

Fixes: stack buffer overflow (read)
Fixes: 26369/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5721057325219840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c
index 10c45609682bc92d321632378ee368be1dc3eb69..395eef652231cc71a7a3a6333e7b617f7c003df0 100644 (file)
--- a/libavformat/av1dec.c
+++ b/libavformat/av1dec.c
@@ -382,7 +382,7 @@ static int obu_read_header(AVFormatContext *s)
 static int obu_get_packet(AVFormatContext *s, AVPacket *pkt)
 {
     ObuContext *c = s->priv_data;
-    uint8_t header[MAX_OBU_HEADER_SIZE];
+    uint8_t header[MAX_OBU_HEADER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE];
     int64_t obu_size;
     int size = av_fifo_space(c->fifo);
     int ret, len, type;