[FFmpeg-cvslog] [ffmpeg] avcodec/mwsc: do not dereference a missing reference frame (branch master)

Thu, 04 Jun 2026 18:28:23 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new ba825ce85f avcodec/mwsc: do not dereference a missing reference frame
ba825ce85f is described below

commit ba825ce85f9347c0eac3dfe9d8cf7ebde6dcd86b
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Sun May 31 04:31:05 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Fri Jun 5 01:27:39 2026 +0000

    avcodec/mwsc: do not dereference a missing reference frame
    
    Fixes: 
493841393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MWSC_fuzzer-5079884677578752
    Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/mwsc.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c
index 0d4ee9791a..8976376d4f 100644
--- a/libavcodec/mwsc.c
+++ b/libavcodec/mwsc.c
@@ -65,6 +65,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext 
*pb, GetByteContext
         } else if (run == 255) {
             int pos = bytestream2_tell_p(pb);
 
+            if (!gbp)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_seek(gbp, pos, SEEK_SET);
 
             if (pos + width - w < fill)
@@ -128,11 +131,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame 
*frame,
         return ret;
 
     bytestream2_init(&gb, s->decomp_buf, zstream->total_out);
-    bytestream2_init(&gbp, s->prev_frame->data[0], avctx->height * 
s->prev_frame->linesize[0]);
+    if (s->prev_frame->data[0])
+        bytestream2_init(&gbp, s->prev_frame->data[0], avctx->height * 
s->prev_frame->linesize[0]);
     bytestream2_init_writer(&pb, frame->data[0], avctx->height * 
frame->linesize[0]);
 
-    if (rle_uncompress(&gb, &pb, &gbp, avctx->width, avctx->height, 
avctx->width * 3,
-                       frame->linesize[0], s->prev_frame->linesize[0]))
+    ret = rle_uncompress(&gb, &pb, s->prev_frame->data[0] ? &gbp : NULL,
+                         avctx->width, avctx->height, avctx->width * 3,
+                         frame->linesize[0], s->prev_frame->linesize[0]);
+    if (ret < 0)
+        return ret;
+    if (ret)
         frame->flags |= AV_FRAME_FLAG_KEY;
     else
         frame->flags &= ~AV_FRAME_FLAG_KEY;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to