Michael Niedermayer: > Fixes: SEGV on unknown address 0x000000000000 > Fixes: > 26482/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-4905102324006912 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavformat/vividas.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavformat/vividas.c b/libavformat/vividas.c > index 999c4a5d1c..6e93d96aef 100644 > --- a/libavformat/vividas.c > +++ b/libavformat/vividas.c > @@ -682,7 +682,7 @@ static int viv_read_packet(AVFormatContext *s, > return AVERROR_INVALIDDATA; > > ffio_read_varlen(pb); > - if (v_size > INT_MAX) > + if (v_size > INT_MAX || !v_size) > return AVERROR_INVALIDDATA; > ret = av_get_packet(pb, pkt, v_size); > if (ret < 0) > @@ -711,7 +711,7 @@ static int viv_read_packet(AVFormatContext *s, > } else { > uint64_t v_size = ffio_read_varlen(pb); > > - if (v_size > INT_MAX) > + if (v_size > INT_MAX || !v_size) > return AVERROR_INVALIDDATA; > ret = av_get_packet(pb, pkt, v_size); > if (ret < 0) > av_get_packet(pb, pkt, 0) should get a packet with pkt->data pointing to a zeroed buffer of size AV_INPUT_BUFFER_PADDING_SIZE. So accessing pkt->data[0] for the flags should not segfault (but it would set the wrong result: that it is a keyframe). So where is the segfault?
- Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
