Hi, On Mon, Feb 27, 2017 at 10:28 PM, Michael Niedermayer < mich...@niedermayer.cc> wrote:
> Fixes: 686/clusterfuzz-testcase-5853946876788736 > > Found-by: continuous fuzzing process https://github.com/google/oss- > fuzz/tree/master/targets/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/vp8.c | 20 ++++++++++++++------ > libavcodec/vp8.h | 2 +- > 2 files changed, 15 insertions(+), 7 deletions(-) > > diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c > index c1c3eb7072..cc158528ef 100644 > --- a/libavcodec/vp8.c > +++ b/libavcodec/vp8.c > @@ -2275,7 +2275,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext > *avctx, VP8Frame *cur_frame, > #define update_pos(td, mb_y, mb_x) while(0) > #endif > > -static av_always_inline void decode_mb_row_no_filter(AVCodecContext > *avctx, void *tdata, > +static av_always_inline int decode_mb_row_no_filter(AVCodecContext > *avctx, void *tdata, > int jobnr, int threadnr, int > is_vp7) > { > VP8Context *s = avctx->priv_data; > @@ -2291,6 +2291,10 @@ static av_always_inline void > decode_mb_row_no_filter(AVCodecContext *avctx, void > curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, > curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize > }; > + > + if (c->end <= c->buffer && c->bits >= 0) > + return AVERROR_INVALIDDATA; From vp56.h: if(bits >= 0 && c->buffer < c->end) { code_word |= bytestream_get_be16(&c->buffer) << bits; bits -= 16; } So this looks supicious, c->end should never be more than 1 byte beyond c->buffer (which is padded by AV_INPUT_BUFFER_PADDING_SIZE). What is the real issue? Ronald _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
