On Tue, Mar 24, 2020 at 10:59:21AM +0100, Anton Khirnov wrote: > Quoting Michael Niedermayer (2020-03-24 01:41:43) > > Fixes: out of array access > > Fixes: > > 21193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5125168956702720 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/decode.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/libavcodec/decode.c b/libavcodec/decode.c > > index af6bb3f952..fb22ef0ef3 100644 > > --- a/libavcodec/decode.c > > +++ b/libavcodec/decode.c > > @@ -1972,6 +1972,7 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame > > *frame, int flags) > > if (ret < 0) { > > av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); > > frame->width = frame->height = 0; > > + frame->format = -1; > > This looks ad-hoc. And also unnecessary, since get_buffer_internal() is > already calling av_frame_unref() on failure. > Seems it's just missing the cleanup goto on ff_decode_frame_props() > failure.
will post a patch to fix that cleanup but i have to say that i feel a bit uneasy that a fix to out of array access is "not forgetting cleanup on any path" Ill add a assert so if another path leads to this, it at least gets stoped/clearly caught. Thanks -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The greatest way to live with honor in this world is to be what we pretend to be. -- Socrates
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
