On Thu, Sep 24, 2020 at 05:51:43PM -0300, James Almer wrote: > On 9/24/2020 5:20 PM, Michael Niedermayer wrote: > > Fixes: member access within null pointer of type 'TileGroupInfo' (aka > > 'struct TileGroupInfo') > > Fixes: > > 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/av1dec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c > > index 0bb04a3e44..cf3a78aad8 100644 > > --- a/libavcodec/av1dec.c > > +++ b/libavcodec/av1dec.c > > @@ -209,6 +209,9 @@ static int get_tiles_info(AVCodecContext *avctx, const > > AV1RawTileGroup *tile_gro > > uint16_t tile_num, tile_row, tile_col; > > uint32_t size = 0, size_bytes = 0; > > > > + if (s->tile_num != s->raw_frame_header->tile_cols * > > s->raw_frame_header->tile_rows) > > + return AVERROR_INVALIDDATA; > > This shouldn't happen if a frame header was properly parsed. It sounds > like one wasn't yet s->raw_frame_header was left pointing to it. >
> Does the following also fix this crash? I was considering to clear raw_frame_header but went for the smaller change as it wasnt clear to me if that would have unintended side effects / and wondered why it was not cleared on any error path ... But yes if clearing it is ok that is better and i confirm the suggested change works thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who are best at talking, realize last or never when they are wrong.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
