On 22/10/2023 01:35, Michael Niedermayer wrote:
Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517
Fixes:
62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/cbs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
index cdd7adebebd..2f5d0334a2a 100644
--- a/libavcodec/cbs.c
+++ b/libavcodec/cbs.c
@@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context,
position = get_bits_count(gbc);
+ if (length >= 256) {
+ av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated at
255\n", length);
+ length = 255;
+ }
+
av_assert0(length < 256);
for (i = 0; i < length; i++)
bits[i] = get_bits1(gbc) ? '1' : '0';
IMO the assert is sensible (no syntax element is that large) and so this must
be catching a bug somewhere else. Please don't nullify the assert to hide the
bug.
Can you share the input stream which hit this case?
Thanks,
- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
