diff mbox series

[FFmpeg-devel,2/5] libavcodec/mvha: Check height before applying median predictor

Message ID 20200209191424.19041-2-michael@niedermayer.cc
State Accepted
Headers show
Series [FFmpeg-devel,1/5] avcodec/midivid: Check vector index | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer Feb. 9, 2020, 7:14 p.m. UTC 
Fixes: out of array read
Fixes: 20495/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5711179129552896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mvha.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

Comments

Paul B Mahol Feb. 9, 2020, 7:28 p.m. UTC | #1 
lgtm

On 2/9/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: out of array read
> Fixes:
> 20495/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5711179129552896
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/mvha.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
> index afe5e511f2..1ea3bb3d76 100644
> --- a/libavcodec/mvha.c
> +++ b/libavcodec/mvha.c
> @@ -256,12 +256,14 @@ static int decode_frame(AVCodecContext *avctx,
>
>          dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
>          s->llviddsp.add_left_pred(dst, dst, width, 0);
> -        dst -= stride;
> -        lefttop = left = dst[0];
> -        for (int y = 1; y < avctx->height; y++) {
> -            s->llviddsp.add_median_pred(dst, dst + stride, dst, width,
> &left, &lefttop);
> -            lefttop = left = dst[0];
> +        if (avctx->height > 1) {
>              dst -= stride;
> +            lefttop = left = dst[0];
> +            for (int y = 1; y < avctx->height; y++) {
> +                s->llviddsp.add_median_pred(dst, dst + stride, dst, width,
> &left, &lefttop);
> +                lefttop = left = dst[0];
> +                dst -= stride;
> +            }
>          }
>      }
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Feb. 9, 2020, 8:20 p.m. UTC | #2 
On Sun, Feb 09, 2020 at 08:28:27PM +0100, Paul B Mahol wrote:
> lgtm

will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
index afe5e511f2..1ea3bb3d76 100644
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@@ -256,12 +256,14 @@  static int decode_frame(AVCodecContext *avctx,
 
         dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
         s->llviddsp.add_left_pred(dst, dst, width, 0);
-        dst -= stride;
-        lefttop = left = dst[0];
-        for (int y = 1; y < avctx->height; y++) {
-            s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
-            lefttop = left = dst[0];
+        if (avctx->height > 1) {
             dst -= stride;
+            lefttop = left = dst[0];
+            for (int y = 1; y < avctx->height; y++) {
+                s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
+                lefttop = left = dst[0];
+                dst -= stride;
+            }
         }
     }