On 9/24/2020 5:20 PM, Michael Niedermayer wrote: > Fixes: member access within null pointer of type 'TileGroupInfo' (aka 'struct > TileGroupInfo') > Fixes: > 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/av1dec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c > index 0bb04a3e44..cf3a78aad8 100644 > --- a/libavcodec/av1dec.c > +++ b/libavcodec/av1dec.c > @@ -209,6 +209,9 @@ static int get_tiles_info(AVCodecContext *avctx, const > AV1RawTileGroup *tile_gro > uint16_t tile_num, tile_row, tile_col; > uint32_t size = 0, size_bytes = 0; > > + if (s->tile_num != s->raw_frame_header->tile_cols * > s->raw_frame_header->tile_rows) > + return AVERROR_INVALIDDATA;
This shouldn't happen if a frame header was properly parsed. It sounds like one wasn't yet s->raw_frame_header was left pointing to it. Does the following also fix this crash? > diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c > index 0bb04a3e44..e650d43d9e 100644 > --- a/libavcodec/av1dec.c > +++ b/libavcodec/av1dec.c > @@ -831,6 +831,9 @@ static int av1_decode_frame(AVCodecContext *avctx, void > *frame, > > end: > ff_cbs_fragment_reset(&s->current_obu); > + if (ret < 0) > + s->raw_frame_header = NULL; > + > return ret; > } > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
