[FFmpeg-devel] [PATCH 2/4] avcodec/cavsdec: Check remaining bitstream in the main loop in decode_pic()

Wed, 25 Sep 2019 03:03:52 -0700 

Fixes: Timeout (149sec ->1sec)
Fixes: 
17311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5679368642232320

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/cavsdec.c | 14 ++++++++++++--
 tests/ref/fate/cavs  |  2 +-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 1c4f71824a..436f902ab3 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1101,11 +1101,16 @@ static int decode_pic(AVSContext *h)
         do {
             if (check_for_slice(h))
                 skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 skip_count = get_ue_golomb(&h->gb);
+            }
             if (h->skip_mode_flag && skip_count--) {
                 decode_mb_p(h, P_SKIP);
             } else {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag;
                 if (mb_type > P_8X8)
                     ret = decode_mb_i(h, mb_type - P_8X8 - 1);
@@ -1119,11 +1124,16 @@ static int decode_pic(AVSContext *h)
         do {
             if (check_for_slice(h))
                 skip_count = -1;
-            if (h->skip_mode_flag && (skip_count < 0))
+            if (h->skip_mode_flag && (skip_count < 0)) {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 skip_count = get_ue_golomb(&h->gb);
+            }
             if (h->skip_mode_flag && skip_count--) {
                 ret = decode_mb_b(h, B_SKIP);
             } else {
+                if (get_bits_left(&h->gb) < 1)
+                    break;
                 mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag;
                 if (mb_type > B_8X8)
                     ret = decode_mb_i(h, mb_type - B_8X8 - 1);
diff --git a/tests/ref/fate/cavs b/tests/ref/fate/cavs
index ddcbe04d15..4c3d127fa3 100644
--- a/tests/ref/fate/cavs
+++ b/tests/ref/fate/cavs
@@ -172,4 +172,4 @@
 0,        166,        166,        1,   622080, 0x05496a5d
 0,        167,        167,        1,   622080, 0xdcb4cee8
 0,        168,        168,        1,   622080, 0xb41172e5
-0,        169,        169,        1,   622080, 0x56c72478
+0,        169,        169,        1,   622080, 0x26146e0b
-- 
2.23.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to