Quoting Michael Niedermayer (2020-03-24 01:41:43) > Fixes: out of array access > Fixes: > 21193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5125168956702720 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/decode.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/libavcodec/decode.c b/libavcodec/decode.c > index af6bb3f952..fb22ef0ef3 100644 > --- a/libavcodec/decode.c > +++ b/libavcodec/decode.c > @@ -1972,6 +1972,7 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame > *frame, int flags) > if (ret < 0) { > av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); > frame->width = frame->height = 0; > + frame->format = -1;
This looks ad-hoc. And also unnecessary, since get_buffer_internal() is already calling av_frame_unref() on failure. Seems it's just missing the cleanup goto on ff_decode_frame_props() failure. -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
