On 6/6/2020 1:03 PM, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes:
> 23034/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5074645169733632.fuzz
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> ---
> libavcodec/cbs_h265_syntax_template.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/cbs_h265_syntax_template.c
> b/libavcodec/cbs_h265_syntax_template.c
> index 5b7d1aa837..900764a3cf 100644
> --- a/libavcodec/cbs_h265_syntax_template.c
> +++ b/libavcodec/cbs_h265_syntax_template.c
> @@ -518,8 +518,11 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext
> *ctx, RWContext *rw,
>
> if (st_rps_idx != 0)
> flag(inter_ref_pic_set_prediction_flag);
> - else
> + else {
> infer(inter_ref_pic_set_prediction_flag, 0);
> + if (current->inter_ref_pic_set_prediction_flag)
This makes no sense. The infer(inter_ref_pic_set_prediction_flag, 0)
line sets current->inter_ref_pic_set_prediction_flag to 0. How can this
check even succeed?
Can you give some context?
> + return AVERROR_INVALIDDATA;
> + }
>
> if (current->inter_ref_pic_set_prediction_flag) {
> unsigned int ref_rps_idx, num_delta_pocs, num_ref_pics;
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
