[FFmpeg-devel] [PATCH 05/10] avcodec/vvc/thread: Check frame to be non NULL
Nuo Mi
nuomi2021 at gmail.com
Sun Oct 13 06:02:26 EEST 2024
On Thu, Oct 10, 2024 at 3:40 AM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> Hi Nuo mi
>
> On Sun, Sep 22, 2024 at 11:56:40PM +0200, Michael Niedermayer wrote:
> > Fixes: NULL pointer dereference
> > Fixes:
> 71303/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4875859050168320
> >
> > Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/vvc/thread.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/vvc/thread.c b/libavcodec/vvc/thread.c
> > index 86a7753c6a4..2bf9adc462e 100644
> > --- a/libavcodec/vvc/thread.c
> > +++ b/libavcodec/vvc/thread.c
> > @@ -837,7 +837,8 @@ int ff_vvc_frame_wait(VVCContext *s, VVCFrameContext
> *fc)
> > ff_cond_wait(&ft->cond, &ft->lock);
> >
> > ff_mutex_unlock(&ft->lock);
> > - ff_vvc_report_frame_finished(fc->ref);
> > + if (fc->ref)
> > + ff_vvc_report_frame_finished(fc->ref);
>
> Is this correct ?
> or is there some other issue ?
> i can provide the fuzzer sample if you want to have a look?
>
Hi Michael,
Sorry for the delay.
The NULL fc->ref might need to be handled earlier.
Please provide the fuzz data, and I'll check it out.
Thank you
> libavcodec/vvc/refs.c:587:31: runtime error: member access within null
> pointer of type 'VVCFrame' (aka 'struct VVCFrame')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libavcodec/vvc/refs.c:587:31 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==1106370==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058
> (pc 0x0000008e05c3 bp 0x7fffa0862730 sp 0x7fffa08625c0 T0)
> ==1106370==The signal is caused by a READ memory access.
> ==1106370==Hint: address points to the zero page.
> #0 0x8e05c3 in ff_vvc_report_progress libavcodec/vvc/refs.c:587:31
> #1 0x8e0476 in ff_vvc_report_frame_finished libavcodec/vvc/refs.c:547:5
> #2 0x8e887d in ff_vvc_frame_wait libavcodec/vvc/thread.c:822:5
> #3 0x6f260d in wait_delayed_frame libavcodec/vvc/dec.c:927:32
> #4 0x6db9ec in get_decoded_frame libavcodec/vvc/dec.c:963:20
> #5 0x6db9ec in vvc_decode_frame libavcodec/vvc/dec.c:992:16
> #6 0x58285b in decode_simple_internal libavcodec/decode.c:442:16
> #7 0x58285b in decode_simple_receive_frame libavcodec/decode.c:612:15
> #8 0x58285b in ff_decode_receive_frame_internal
> libavcodec/decode.c:648:15
> #9 0x588d4b in decode_receive_frame_internal libavcodec/decode.c:665:15
> #10 0x58a861 in ff_decode_receive_frame libavcodec/decode.c:825:15
> #11 0x55fc6d in audio_video_handler tools/target_dec_fuzzer.c:98:15
> #12 0x55d79d in LLVMFuzzerTestOneInput tools/target_dec_fuzzer.c:602:9
> #13 0x16bf1ac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
> unsigned long) (tools/target_dec_vvc_fuzzer+0x16bf1ac)
> #14 0x16a981f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
> unsigned long) (tools/target_dec_vvc_fuzzer+0x16a981f)
> #15 0x16aee7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
> char const*, unsigned long)) (tools/target_dec_vvc_fuzzer+0x16aee7f)
> #16 0x16a94bb in main (tools/target_dec_vvc_fuzzer+0x16a94bb)
> #17 0x7f5835026082 in __libc_start_main
> /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
> #18 0x4a9ecd in _start (tools/target_dec_vvc_fuzzer+0x4a9ecd)
>
> thx
>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Good people do not need laws to tell them to act responsibly, while bad
> people will find a way around the laws. -- Plato
>
More information about the ffmpeg-devel
mailing list