The buffer is read by using the bit reader
Fixes: out of array read
Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
int ret = ffio_ensure_seekback(s->pb, len);
if (ret >= 0) {
- uint8_t *buf = av_malloc(len);
+ uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE);
if (!buf) {
ret = AVERROR(ENOMEM);
} else {