On Thu, Oct 10, 2024 at 3:40 AM Michael Niedermayer <mich...@niedermayer.cc> wrote:
> Hi Nuo mi > > On Sun, Sep 22, 2024 at 11:56:40PM +0200, Michael Niedermayer wrote: > > Fixes: NULL pointer dereference > > Fixes: > 71303/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4875859050168320 > > > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/vvc/thread.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/vvc/thread.c b/libavcodec/vvc/thread.c > > index 86a7753c6a4..2bf9adc462e 100644 > > --- a/libavcodec/vvc/thread.c > > +++ b/libavcodec/vvc/thread.c > > @@ -837,7 +837,8 @@ int ff_vvc_frame_wait(VVCContext *s, VVCFrameContext > *fc) > > ff_cond_wait(&ft->cond, &ft->lock); > > > > ff_mutex_unlock(&ft->lock); > > - ff_vvc_report_frame_finished(fc->ref); > > + if (fc->ref) > > + ff_vvc_report_frame_finished(fc->ref); > > Is this correct ? > or is there some other issue ? > i can provide the fuzzer sample if you want to have a look? > Hi Michael, Sorry for the delay. The NULL fc->ref might need to be handled earlier. Please provide the fuzz data, and I'll check it out. Thank you > libavcodec/vvc/refs.c:587:31: runtime error: member access within null > pointer of type 'VVCFrame' (aka 'struct VVCFrame') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior > libavcodec/vvc/refs.c:587:31 in > AddressSanitizer:DEADLYSIGNAL > ================================================================= > ==1106370==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 > (pc 0x0000008e05c3 bp 0x7fffa0862730 sp 0x7fffa08625c0 T0) > ==1106370==The signal is caused by a READ memory access. > ==1106370==Hint: address points to the zero page. > #0 0x8e05c3 in ff_vvc_report_progress libavcodec/vvc/refs.c:587:31 > #1 0x8e0476 in ff_vvc_report_frame_finished libavcodec/vvc/refs.c:547:5 > #2 0x8e887d in ff_vvc_frame_wait libavcodec/vvc/thread.c:822:5 > #3 0x6f260d in wait_delayed_frame libavcodec/vvc/dec.c:927:32 > #4 0x6db9ec in get_decoded_frame libavcodec/vvc/dec.c:963:20 > #5 0x6db9ec in vvc_decode_frame libavcodec/vvc/dec.c:992:16 > #6 0x58285b in decode_simple_internal libavcodec/decode.c:442:16 > #7 0x58285b in decode_simple_receive_frame libavcodec/decode.c:612:15 > #8 0x58285b in ff_decode_receive_frame_internal > libavcodec/decode.c:648:15 > #9 0x588d4b in decode_receive_frame_internal libavcodec/decode.c:665:15 > #10 0x58a861 in ff_decode_receive_frame libavcodec/decode.c:825:15 > #11 0x55fc6d in audio_video_handler tools/target_dec_fuzzer.c:98:15 > #12 0x55d79d in LLVMFuzzerTestOneInput tools/target_dec_fuzzer.c:602:9 > #13 0x16bf1ac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) (tools/target_dec_vvc_fuzzer+0x16bf1ac) > #14 0x16a981f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, > unsigned long) (tools/target_dec_vvc_fuzzer+0x16a981f) > #15 0x16aee7f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) (tools/target_dec_vvc_fuzzer+0x16aee7f) > #16 0x16a94bb in main (tools/target_dec_vvc_fuzzer+0x16a94bb) > #17 0x7f5835026082 in __libc_start_main > /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 > #18 0x4a9ecd in _start (tools/target_dec_vvc_fuzzer+0x4a9ecd) > > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Good people do not need laws to tell them to act responsibly, while bad > people will find a way around the laws. -- Plato > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
