[FFmpeg-devel] [PATCH 2/2] avcodec/cbs_vp9: Check data_size

Michael Niedermayer michael at niedermayer.cc
Thu Dec 26 16:56:39 EET 2019


On Wed, Dec 25, 2019 at 10:49:47PM -0300, James Almer wrote:
> On 12/25/2019 9:18 PM, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 19542/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5659498341728256
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/cbs_vp9.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c
> > index 98730e03e3..ec82f11c76 100644
> > --- a/libavcodec/cbs_vp9.c
> > +++ b/libavcodec/cbs_vp9.c
> > @@ -416,6 +416,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx,
> >      uint8_t superframe_header;
> >      int err;
> >  
> > +    if (frag->data_size == 0)
> > +        return AVERROR_INVALIDDATA;
> 
> cbs_h2645 and cbs_av1 return 0 when frag->data_size == 0, but cbs_jpeg
> returns invalid data. I don't know which is more correct or ideal, but
> if the failure doesn't happen here it will happen later in the process
> when any code that finds out frag->nb_units is 0 will just bail out, so
> LGTM.

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

During times of universal deceit, telling the truth becomes a
revolutionary act. -- George Orwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191226/9a96e0ef/attachment.sig>


More information about the ffmpeg-devel mailing list