On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer <mich...@niedermayer.cc>
wrote:

> Fixes: out of array access
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <mich...@niedermayer.cc>
> ---
>  libavcodec/osq.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> index e7f11691d2e..bcc75fef6fc 100644
> --- a/libavcodec/osq.c
> +++ b/libavcodec/osq.c
> @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
> AVFrame *frame)
>      GetBitContext *gb = &s->gb;
>      int ret, n;
>
> +    if (s->pkt_offset > s->pkt->size)
> +        s->pkt_offset = 0;
>

This is more hack than real fix.

Can you provide input file?


> +
>      while (s->bitstream_size < s->max_framesize) {
>          int size;
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to