avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif()

The buffer is read by using the bit reader
Fixes: out of array read
Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 256c36ebe2a2c22c317c68df0cec13834e8e38d9..ef144502a2e92f216b51a2ca6ac5cecfca3dee44 100644 (file)
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -71,7 +71,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav)
         int ret = ffio_ensure_seekback(s->pb, len);
 
         if (ret >= 0) {
-            uint8_t *buf = av_malloc(len);
+            uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!buf) {
                 ret = AVERROR(ENOMEM);
             } else {