On 12/25/2019 9:18 PM, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: > 19542/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5659498341728256 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/cbs_vp9.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c > index 98730e03e3..ec82f11c76 100644 > --- a/libavcodec/cbs_vp9.c > +++ b/libavcodec/cbs_vp9.c > @@ -416,6 +416,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext > *ctx, > uint8_t superframe_header; > int err; > > + if (frag->data_size == 0) > + return AVERROR_INVALIDDATA;
cbs_h2645 and cbs_av1 return 0 when frag->data_size == 0, but cbs_jpeg returns invalid data. I don't know which is more correct or ideal, but if the failure doesn't happen here it will happen later in the process when any code that finds out frag->nb_units is 0 will just bail out, so LGTM. > + > // Last byte in the packet. > superframe_header = frag->data[frag->data_size - 1]; > > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
