Message ID | 20190327001742.16131-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 54655623a82632e7624714d7b2a3e039dc5faa7e |
Headers | show |
On 3/26/2019 9:17 PM, Michael Niedermayer wrote: > Fixes: NULL pointer dereference and out of array access > Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 > Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 > > This also fixes the return code for explode mode > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/hevcdec.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c > index 86adab0ae1..857c10dd12 100644 > --- a/libavcodec/hevcdec.c > +++ b/libavcodec/hevcdec.c > @@ -488,6 +488,11 @@ static int hls_slice_header(HEVCContext *s) > > // Coded parameters > sh->first_slice_in_pic_flag = get_bits1(gb); > + if (s->ref && sh->first_slice_in_pic_flag) { > + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); > + return 1; // This slice will be skiped later, do not corrupt state > + } > + > if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { > s->seq_decode = (s->seq_decode + 1) & 0xff; > s->max_ra = INT_MAX; > @@ -2918,6 +2923,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) > ret = hls_slice_header(s); > if (ret < 0) > return ret; > + if (ret == 1) { > + ret = AVERROR_INVALIDDATA; > + goto fail; > + } > + > > if ( > (s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) || > @@ -2927,10 +2937,6 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) > } > > if (s->sh.first_slice_in_pic_flag) { > - if (s->ref) { > - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); > - goto fail; > - } > if (s->max_ra == INT_MAX) { > if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { > s->max_ra = s->poc; LGTM. Please also backport it. Thanks.
On Tue, Mar 26, 2019 at 10:19:44PM -0300, James Almer wrote: > On 3/26/2019 9:17 PM, Michael Niedermayer wrote: > > Fixes: NULL pointer dereference and out of array access > > Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 > > Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 > > > > This also fixes the return code for explode mode > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/hevcdec.c | 14 ++++++++++---- > > 1 file changed, 10 insertions(+), 4 deletions(-) > > > > diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c > > index 86adab0ae1..857c10dd12 100644 > > --- a/libavcodec/hevcdec.c > > +++ b/libavcodec/hevcdec.c > > @@ -488,6 +488,11 @@ static int hls_slice_header(HEVCContext *s) > > > > // Coded parameters > > sh->first_slice_in_pic_flag = get_bits1(gb); > > + if (s->ref && sh->first_slice_in_pic_flag) { > > + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); > > + return 1; // This slice will be skiped later, do not corrupt state > > + } > > + > > if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { > > s->seq_decode = (s->seq_decode + 1) & 0xff; > > s->max_ra = INT_MAX; > > @@ -2918,6 +2923,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) > > ret = hls_slice_header(s); > > if (ret < 0) > > return ret; > > + if (ret == 1) { > > + ret = AVERROR_INVALIDDATA; > > + goto fail; > > + } > > + > > > > if ( > > (s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) || > > @@ -2927,10 +2937,6 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) > > } > > > > if (s->sh.first_slice_in_pic_flag) { > > - if (s->ref) { > > - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); > > - goto fail; > > - } > > if (s->max_ra == INT_MAX) { > > if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { > > s->max_ra = s->poc; > > LGTM. Please also backport it. Thanks. applied thx [...]
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 86adab0ae1..857c10dd12 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -488,6 +488,11 @@ static int hls_slice_header(HEVCContext *s) // Coded parameters sh->first_slice_in_pic_flag = get_bits1(gb); + if (s->ref && sh->first_slice_in_pic_flag) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + return 1; // This slice will be skiped later, do not corrupt state + } + if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { s->seq_decode = (s->seq_decode + 1) & 0xff; s->max_ra = INT_MAX; @@ -2918,6 +2923,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) ret = hls_slice_header(s); if (ret < 0) return ret; + if (ret == 1) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if ( (s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) || @@ -2927,10 +2937,6 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) } if (s->sh.first_slice_in_pic_flag) { - if (s->ref) { - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - goto fail; - } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc;
Fixes: NULL pointer dereference and out of array access Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 This also fixes the return code for explode mode Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevcdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)