[FFmpeg-devel] [PATCH 2/4] avcodec/av1dec: Check tile_group_info size before use
James Almer
jamrial at gmail.com
Thu Sep 24 23:51:43 EEST 2020
On 9/24/2020 5:20 PM, Michael Niedermayer wrote:
> Fixes: member access within null pointer of type 'TileGroupInfo' (aka 'struct TileGroupInfo')
> Fixes: 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/av1dec.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
> index 0bb04a3e44..cf3a78aad8 100644
> --- a/libavcodec/av1dec.c
> +++ b/libavcodec/av1dec.c
> @@ -209,6 +209,9 @@ static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_gro
> uint16_t tile_num, tile_row, tile_col;
> uint32_t size = 0, size_bytes = 0;
>
> + if (s->tile_num != s->raw_frame_header->tile_cols * s->raw_frame_header->tile_rows)
> + return AVERROR_INVALIDDATA;
This shouldn't happen if a frame header was properly parsed. It sounds
like one wasn't yet s->raw_frame_header was left pointing to it.
Does the following also fix this crash?
> diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
> index 0bb04a3e44..e650d43d9e 100644
> --- a/libavcodec/av1dec.c
> +++ b/libavcodec/av1dec.c
> @@ -831,6 +831,9 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame,
>
> end:
> ff_cbs_fragment_reset(&s->current_obu);
> + if (ret < 0)
> + s->raw_frame_header = NULL;
> +
> return ret;
> }
>
More information about the ffmpeg-devel
mailing list