[FFmpeg-cvslog] avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header()

Sun, 12 Mar 2017 20:49:40 -0700 

ffmpeg | branch: master | Michael Niedermayer <mich...@niedermayer.cc> | Sun 
Mar 12 03:04:06 2017 +0100| [967feea5ebb744dce97ab327d33502b43fca0c7f] | 
committer: Michael Niedermayer

avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header()

Fixes: 807/clusterfuzz-testcase-6470061042696192
Fixes null pointer dereference

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=967feea5ebb744dce97ab327d33502b43fca0c7f
---

 libavcodec/vp6.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index f0e60a3..4afd67b 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -108,7 +108,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 
         ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
         if (ret < 0)
-            return ret;
+            goto fail;
         vp56_rac_gets(c, 2);
 
         parse_filter_info = s->filter_header;
@@ -162,9 +162,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
         buf      += coeff_offset;
         buf_size -= coeff_offset;
         if (buf_size < 0) {
-            if (s->frames[VP56_FRAME_CURRENT]->key_frame)
-                ff_set_dimensions(s->avctx, 0, 0);
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
         }
         if (s->use_huffman) {
             s->parse_coeff = vp6_parse_coeff_huffman;
@@ -172,7 +171,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
         } else {
             ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size);
             if (ret < 0)
-                return ret;
+                goto fail;
             s->ccp = &s->cc;
         }
     } else {
@@ -180,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
     }
 
     return res;
+fail:
+    if (res == VP56_SIZE_CHANGE)
+        ff_set_dimensions(s->avctx, 0, 0);
+    return ret;
 }
 
 static void vp6_coeff_order_table_init(VP56Context *s)

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to