On Tue, Mar 26, 2019 at 10:19:44PM -0300, James Almer wrote: > On 3/26/2019 9:17 PM, Michael Niedermayer wrote: > > Fixes: NULL pointer dereference and out of array access > > Fixes: > > 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 > > Fixes: > > 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 > > > > This also fixes the return code for explode mode > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/hevcdec.c | 14 ++++++++++---- > > 1 file changed, 10 insertions(+), 4 deletions(-) > > > > diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c > > index 86adab0ae1..857c10dd12 100644 > > --- a/libavcodec/hevcdec.c > > +++ b/libavcodec/hevcdec.c > > @@ -488,6 +488,11 @@ static int hls_slice_header(HEVCContext *s) > > > > // Coded parameters > > sh->first_slice_in_pic_flag = get_bits1(gb); > > + if (s->ref && sh->first_slice_in_pic_flag) { > > + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the > > first in the same frame.\n"); > > + return 1; // This slice will be skiped later, do not corrupt state > > + } > > + > > if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { > > s->seq_decode = (s->seq_decode + 1) & 0xff; > > s->max_ra = INT_MAX; > > @@ -2918,6 +2923,11 @@ static int decode_nal_unit(HEVCContext *s, const > > H2645NAL *nal) > > ret = hls_slice_header(s); > > if (ret < 0) > > return ret; > > + if (ret == 1) { > > + ret = AVERROR_INVALIDDATA; > > + goto fail; > > + } > > + > > > > if ( > > (s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type > > == HEVC_SLICE_B) || > > @@ -2927,10 +2937,6 @@ static int decode_nal_unit(HEVCContext *s, const > > H2645NAL *nal) > > } > > > > if (s->sh.first_slice_in_pic_flag) { > > - if (s->ref) { > > - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being > > the first in the same frame.\n"); > > - goto fail; > > - } > > if (s->max_ra == INT_MAX) { > > if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { > > s->max_ra = s->poc; > > LGTM. Please also backport it. Thanks.
applied thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The bravest are surely those who have the clearest vision of what is before them, glory and danger alike, and yet notwithstanding go out to meet it. -- Thucydides
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
