On 9/25/2020 5:05 AM, Michael Niedermayer wrote: > On Thu, Sep 24, 2020 at 05:51:43PM -0300, James Almer wrote: >> On 9/24/2020 5:20 PM, Michael Niedermayer wrote: >>> Fixes: member access within null pointer of type 'TileGroupInfo' (aka >>> 'struct TileGroupInfo') >>> Fixes: >>> 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616 >>> >>> Found-by: continuous fuzzing process >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >>> --- >>> libavcodec/av1dec.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c >>> index 0bb04a3e44..cf3a78aad8 100644 >>> --- a/libavcodec/av1dec.c >>> +++ b/libavcodec/av1dec.c >>> @@ -209,6 +209,9 @@ static int get_tiles_info(AVCodecContext *avctx, const >>> AV1RawTileGroup *tile_gro >>> uint16_t tile_num, tile_row, tile_col; >>> uint32_t size = 0, size_bytes = 0; >>> >>> + if (s->tile_num != s->raw_frame_header->tile_cols * >>> s->raw_frame_header->tile_rows) >>> + return AVERROR_INVALIDDATA; >> >> This shouldn't happen if a frame header was properly parsed. It sounds >> like one wasn't yet s->raw_frame_header was left pointing to it. >> > >> Does the following also fix this crash? > > I was considering to clear raw_frame_header but went for the smaller change > as it wasnt clear to me if that would have unintended side effects / and > wondered why it was not cleared on any error path ... > But yes if clearing it is ok that is better > and i confirm the suggested change works
Yes, it's an oversight. Will send a patchset to make some more thorough cleaning on error, including this fix. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
