[FFmpeg-devel] [PATCH 2/2] avcodec/vp56: Require not any undamaged frame for concealment but one of comparable size
Ronald S. Bultje
rsbultje at gmail.com
Thu Mar 9 14:59:37 EET 2017
Hi,
On Wed, Mar 8, 2017 at 10:07 PM, Michael Niedermayer <michael at niedermayer.cc
> wrote:
> Fixes: timeout in 758/clusterfuzz-testcase-4720832028868608
>
> Found-by: continuous fuzzing process https://github.com/google/oss-
> fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/vp56.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
> index 0010408847..bccb424903 100644
> --- a/libavcodec/vp56.c
> +++ b/libavcodec/vp56.c
> @@ -710,7 +710,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx,
> void *data,
> int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
> if (ret < 0) {
> damaged = 1;
> - if (!s->have_undamaged_frame) {
> + if (s->have_undamaged_frame < s->mb_width *
> s->mb_height) {
> s->discard_frame = 1;
> return AVERROR_INVALIDDATA;
> }
> @@ -732,7 +732,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx,
> void *data,
> }
>
> if (!damaged)
> - s->have_undamaged_frame = 1;
> + s->have_undamaged_frame = s->mb_width * s->mb_height;
You know very well that this makes the memory issue go away but isn't doing
the right thing if width1!=width2 && height1!=height2 but width1*height1 ==
width2*height2. This is obviously because vpN codecs up to and including
vp8 don't include scalable MC.
Can you do this right and only allow this if frame/ref width and height
both match, not just their product?
Ronald
More information about the ffmpeg-devel
mailing list