This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new cbbe68fb1a avcodec/snowenc: avoid NULL ptr arithmetic
cbbe68fb1a is described below
commit cbbe68fb1a60ce27c38e89733fc9b0003814997e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Feb 14 01:23:34 2026 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Thu Mar 5 01:23:40 2026 +0100
avcodec/snowenc: avoid NULL ptr arithmetic
Fixes: applying non-zero offset 16 to null pointer
Fixes:
471614378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5967030642868224
Note: FF_PTR_ADD() does not work as this code has NULL + 123 cases where
the pointer is unsused afterwards
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/snowenc.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c
index 43412bb974..5312d48e99 100644
--- a/libavcodec/snowenc.c
+++ b/libavcodec/snowenc.c
@@ -73,6 +73,8 @@ typedef struct SnowEncContext {
IDWTELEM obmc_scratchpad[MB_SIZE * MB_SIZE * 12 * 2];
} SnowEncContext;
+#define PTR_ADD(ptr, off) ((ptr) ? (ptr) + (off) : NULL)
+
static void init_ref(MotionEstContext *c, const uint8_t *const src[3],
uint8_t *const ref[3], uint8_t *const ref2[3],
int x, int y, int ref_index)
@@ -85,7 +87,7 @@ static void init_ref(MotionEstContext *c, const uint8_t
*const src[3],
};
for (int i = 0; i < 3; i++) {
c->src[0][i] = src [i];
- c->ref[0][i] = ref [i] + offset[i];
+ c->ref[0][i] = PTR_ADD(ref[i], offset[i]);
}
av_assert2(!ref_index);
}
@@ -404,8 +406,8 @@ static int encode_q_branch(SnowEncContext *enc, int level,
int x, int y)
const int stride= s->current_picture->linesize[0];
const int uvstride= s->current_picture->linesize[1];
const uint8_t *const current_data[3] = { s->input_picture->data[0] + (x +
y* stride)*block_w,
- s->input_picture->data[1] +
((x*block_w)>>s->chroma_h_shift) + ((y*uvstride*block_w)>>s->chroma_v_shift),
- s->input_picture->data[2] +
((x*block_w)>>s->chroma_h_shift) + ((y*uvstride*block_w)>>s->chroma_v_shift)};
+ PTR_ADD(s->input_picture->data[1],
((x*block_w)>>s->chroma_h_shift) + ((y*uvstride*block_w)>>s->chroma_v_shift)),
+ PTR_ADD(s->input_picture->data[2],
((x*block_w)>>s->chroma_h_shift) + ((y*uvstride*block_w)>>s->chroma_v_shift))};
int P[10][2];
int16_t last_mv[3][2];
int qpel= !!(s->avctx->flags & AV_CODEC_FLAG_QPEL); //unused
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
