On 6/6/2020 1:12 PM, James Almer wrote:
> On 6/6/2020 1:03 PM, Michael Niedermayer wrote:
>> Fixes: out of array access
>> Fixes:
>> 23034/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5074645169733632.fuzz
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
>> ---
>> libavcodec/cbs_h265_syntax_template.c | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/cbs_h265_syntax_template.c
>> b/libavcodec/cbs_h265_syntax_template.c
>> index 5b7d1aa837..900764a3cf 100644
>> --- a/libavcodec/cbs_h265_syntax_template.c
>> +++ b/libavcodec/cbs_h265_syntax_template.c
>> @@ -518,8 +518,11 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext
>> *ctx, RWContext *rw,
>>
>> if (st_rps_idx != 0)
>> flag(inter_ref_pic_set_prediction_flag);
>> - else
>> + else {
>> infer(inter_ref_pic_set_prediction_flag, 0);
>> + if (current->inter_ref_pic_set_prediction_flag)
>
> This makes no sense. The infer(inter_ref_pic_set_prediction_flag, 0)
> line sets current->inter_ref_pic_set_prediction_flag to 0. How can this
> check even succeed?
>
> Can you give some context?
Oh, i guess this is during writing, not reading, where you just get a
warning about mismatching values.
Sounds like the bug is elsewhere, then, seeing
inter_ref_pic_set_prediction_flag was set to 1 in an scenario where it
should have been 0.
>
>> + return AVERROR_INVALIDDATA;
>> + }
>>
>> if (current->inter_ref_pic_set_prediction_flag) {
>> unsigned int ref_rps_idx, num_delta_pocs, num_ref_pics;
>>
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
