Michael Niedermayer: > Fixes: Assertion failure > Fixes: > 19629/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5676822528524288 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/cbs_h2645.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c > index c8347ba5fa..7427eefa30 100644 > --- a/libavcodec/cbs_h2645.c > +++ b/libavcodec/cbs_h2645.c > @@ -870,7 +870,8 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext > *ctx, > "from slice data.\n", z); > len -= z; > } > - > + if (len <= pos / 8) > + return AVERROR_INVALIDDATA; > slice->data_size = len - pos / 8; > slice->data_ref = av_buffer_ref(unit->data_ref); > if (!slice->data_ref) > @@ -1052,7 +1053,8 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext > *ctx, > "from slice data.\n", z); > len -= z; > } > - > + if (len <= pos / 8) > + return AVERROR_INVALIDDATA; > slice->data_size = len - pos / 8; > slice->data_ref = av_buffer_ref(unit->data_ref); > if (!slice->data_ref) >
Imagine you have CAVLC encoded H.264 where there is nothing after the header except zero bits and where the slice header is not byte-aligned. Then av_assert0(temp) in cbs_h2645_write_slice_data() will be triggered both now as well as with your patch, because your check is too crude. I have already sent a patch [2] for this. It presupposes [1]. - Andreas [1]: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20191209222604.28920-5-andreas.rheinha...@gmail.com/ [2]: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20191209222604.28920-6-andreas.rheinha...@gmail.com/ _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
