[FFmpeg-devel] [PATCH 05/10] avcodec/vvc/thread: Check frame to be non NULL
Michael Niedermayer
michael at niedermayer.cc
Wed Oct 9 22:40:27 EEST 2024
Hi Nuo mi
On Sun, Sep 22, 2024 at 11:56:40PM +0200, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes: 71303/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4875859050168320
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/vvc/thread.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/vvc/thread.c b/libavcodec/vvc/thread.c
> index 86a7753c6a4..2bf9adc462e 100644
> --- a/libavcodec/vvc/thread.c
> +++ b/libavcodec/vvc/thread.c
> @@ -837,7 +837,8 @@ int ff_vvc_frame_wait(VVCContext *s, VVCFrameContext *fc)
> ff_cond_wait(&ft->cond, &ft->lock);
>
> ff_mutex_unlock(&ft->lock);
> - ff_vvc_report_frame_finished(fc->ref);
> + if (fc->ref)
> + ff_vvc_report_frame_finished(fc->ref);
Is this correct ?
or is there some other issue ?
i can provide the fuzzer sample if you want to have a look?
libavcodec/vvc/refs.c:587:31: runtime error: member access within null pointer of type 'VVCFrame' (aka 'struct VVCFrame')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/vvc/refs.c:587:31 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1106370==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x0000008e05c3 bp 0x7fffa0862730 sp 0x7fffa08625c0 T0)
==1106370==The signal is caused by a READ memory access.
==1106370==Hint: address points to the zero page.
#0 0x8e05c3 in ff_vvc_report_progress libavcodec/vvc/refs.c:587:31
#1 0x8e0476 in ff_vvc_report_frame_finished libavcodec/vvc/refs.c:547:5
#2 0x8e887d in ff_vvc_frame_wait libavcodec/vvc/thread.c:822:5
#3 0x6f260d in wait_delayed_frame libavcodec/vvc/dec.c:927:32
#4 0x6db9ec in get_decoded_frame libavcodec/vvc/dec.c:963:20
#5 0x6db9ec in vvc_decode_frame libavcodec/vvc/dec.c:992:16
#6 0x58285b in decode_simple_internal libavcodec/decode.c:442:16
#7 0x58285b in decode_simple_receive_frame libavcodec/decode.c:612:15
#8 0x58285b in ff_decode_receive_frame_internal libavcodec/decode.c:648:15
#9 0x588d4b in decode_receive_frame_internal libavcodec/decode.c:665:15
#10 0x58a861 in ff_decode_receive_frame libavcodec/decode.c:825:15
#11 0x55fc6d in audio_video_handler tools/target_dec_fuzzer.c:98:15
#12 0x55d79d in LLVMFuzzerTestOneInput tools/target_dec_fuzzer.c:602:9
#13 0x16bf1ac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (tools/target_dec_vvc_fuzzer+0x16bf1ac)
#14 0x16a981f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (tools/target_dec_vvc_fuzzer+0x16a981f)
#15 0x16aee7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (tools/target_dec_vvc_fuzzer+0x16aee7f)
#16 0x16a94bb in main (tools/target_dec_vvc_fuzzer+0x16a94bb)
#17 0x7f5835026082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#18 0x4a9ecd in _start (tools/target_dec_vvc_fuzzer+0x4a9ecd)
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241009/b8bc242a/attachment.sig>
More information about the ffmpeg-devel
mailing list