On 14/05/2025 21:50, Mark Thompson wrote: > Buffers are allocated inside some metadata types, so we must ensure > that the object is visible to the free function before a parse failure. > > Found by libFuzzer. > --- > libavcodec/cbs_apv_syntax_template.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/cbs_apv_syntax_template.c > b/libavcodec/cbs_apv_syntax_template.c > index ca66349141..fc8a08ff31 100644 > --- a/libavcodec/cbs_apv_syntax_template.c > +++ b/libavcodec/cbs_apv_syntax_template.c > @@ -543,11 +543,11 @@ static int FUNC(metadata)(CodedBitstreamContext *ctx, > RWContext *rw, > return AVERROR_INVALIDDATA; > } > > + current->metadata_count = p + 1; > + > CHECK(FUNC(metadata_payload)(ctx, rw, pl)); > > metadata_bytes_left -= pl->payload_size; > - > - current->metadata_count = p + 1; > if (metadata_bytes_left == 0) > break; > }
Applied. Simple application of libFuzzer to the decoder hasn't found anything else, either. Thanks, - Mark _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
