[FFmpeg-devel,01/12] avcodec/wmaprodec: get frame during frame decode

Fixes: memleak
Fixes: 17615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5681306024804352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wmaprodec.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

bettter add init cleanup?

On 9/25/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: memleak
> Fixes:
> 17615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5681306024804352
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wmaprodec.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
> index d0fa974c80..5ff26e907d 100644
> --- a/libavcodec/wmaprodec.c
> +++ b/libavcodec/wmaprodec.c
> @@ -1793,6 +1793,12 @@ static int xma_decode_packet(AVCodecContext *avctx,
> void *data,
>      AVFrame *frame = data;
>      int i, ret, offset = INT_MAX;
>
> +    if (!s->frames[s->current_stream]->data[0]) {
> +        s->frames[s->current_stream]->nb_samples = 512;
> +        if ((ret = ff_get_buffer(avctx, s->frames[s->current_stream], 0)) <
> 0) {
> +            return ret;
> +        }
> +    }
>      /* decode current stream packet */
>      ret = decode_packet(avctx, &s->xma[s->current_stream],
> s->frames[s->current_stream],
>                          &got_stream_frame_ptr, avpkt);
> @@ -1915,10 +1921,6 @@ static av_cold int xma_decode_init(AVCodecContext
> *avctx)
>          s->frames[i] = av_frame_alloc();
>          if (!s->frames[i])
>              return AVERROR(ENOMEM);
> -        s->frames[i]->nb_samples = 512;
> -        if ((ret = ff_get_buffer(avctx, s->frames[i], 0)) < 0) {
> -            return AVERROR(ENOMEM);
> -        }
>
>          s->start_channel[i] = start_channels;
>          start_channels += s->xma[i].nb_channels;
> --
> 2.23.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

On Thu, Sep 26, 2019 at 09:50:15AM +0200, Paul B Mahol wrote:
> bettter add init cleanup?

Thats not the problem, init does not fail with the testcase
also the cleanup is called for every case init is called

The problem is that ff_get_buffer() during init is not fully supported

Also API says "This callback is called at the beginning of each frame to get data"
so i think the change done by the patch is correct

We could fix the code to make ff_get_buffer() during init work but
i couldnt find another decoder that does this so it seems thats
not worth it

Thanks

[...]

ok

On 11/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Thu, Sep 26, 2019 at 09:50:15AM +0200, Paul B Mahol wrote:
>> bettter add init cleanup?
>
> Thats not the problem, init does not fail with the testcase
> also the cleanup is called for every case init is called
>
> The problem is that ff_get_buffer() during init is not fully supported
>
> Also API says "This callback is called at the beginning of each frame to get
> data"
> so i think the change done by the patch is correct
>
> We could fix the code to make ff_get_buffer() during init work but
> i couldnt find another decoder that does this so it seems thats
> not worth it
>
> Thanks
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Those who are too smart to engage in politics are punished by being
> governed by those who are dumber. -- Plato
>

On Sat, Nov 09, 2019 at 04:11:13PM +0100, Paul B Mahol wrote:
> ok

will apply

thanks

[...]