diff mbox

[FFmpeg-devel,1/2] avcodec/cavsdec: Check I frame mb decode for errors

Message ID 20170813183839.18269-1-michael@niedermayer.cc
State Accepted
Commit 426a322aa2bfd8ec28e467743c79dad81c63c108
Headers show

Commit Message

Michael Niedermayer Aug. 13, 2017, 6:38 p.m. UTC 
Fixes: timeout
Fixes: 2943/clusterfuzz-testcase-5430257156882432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cavsdec.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

Michael Niedermayer Aug. 14, 2017, 11:08 p.m. UTC | #1 
On Sun, Aug 13, 2017 at 08:38:38PM +0200, Michael Niedermayer wrote:
> Fixes: timeout
> Fixes: 2943/clusterfuzz-testcase-5430257156882432
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cavsdec.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)

patchset applied

[...]
diff mbox

Patch

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 7a5f795dab..02b3d213a9 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1070,10 +1070,14 @@  static int decode_pic(AVSContext *h)
     } else {
         h->alpha_offset = h->beta_offset  = 0;
     }
+
+    ret = 0;
     if (h->cur.f->pict_type == AV_PICTURE_TYPE_I) {
         do {
             check_for_slice(h);
-            decode_mb_i(h, 0);
+            ret = decode_mb_i(h, 0);
+            if (ret < 0)
+                break;
         } while (ff_cavs_next_mb(h));
     } else if (h->cur.f->pict_type == AV_PICTURE_TYPE_P) {
         do {
@@ -1109,12 +1113,12 @@  static int decode_pic(AVSContext *h)
         } while (ff_cavs_next_mb(h));
     }
     emms_c();
-    if (h->cur.f->pict_type != AV_PICTURE_TYPE_B) {
+    if (ret >= 0 && h->cur.f->pict_type != AV_PICTURE_TYPE_B) {
         av_frame_unref(h->DPB[1].f);
         FFSWAP(AVSFrame, h->cur, h->DPB[1]);
         FFSWAP(AVSFrame, h->DPB[0], h->DPB[1]);
     }
-    return 0;
+    return ret;
 }
 
 /*****************************************************************************