Message ID | 20180627181121.30735-3-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 75a2db552423295b509546f3b0f8b2b46d3424b1 |
Headers | show |
2018-06-27 20:11 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc>: > Fixes: null pointer dereference > Fixes: > 8946/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5078915222601728 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dpx.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c > index f75e2cbbca..cf23bb6ba1 100644 > --- a/libavcodec/dpx.c > +++ b/libavcodec/dpx.c > @@ -395,12 +395,14 @@ static int decode_frame(AVCodecContext *avctx, > if (elements == 4) > *dst[3]++ = read16(&buf, endian) >> shift & 0xFFF; > } else { > - *dst[2]++ = read12in32(&buf, &rgbBuffer, > - &n_datum, endian); > + if (elements >= 3) > + *dst[2]++ = read12in32(&buf, &rgbBuffer, > + &n_datum, endian); > *dst[0]++ = read12in32(&buf, &rgbBuffer, > &n_datum, endian); > - *dst[1]++ = read12in32(&buf, &rgbBuffer, > - &n_datum, endian); > + if (elements >= 2) > + *dst[1]++ = read12in32(&buf, &rgbBuffer, > + &n_datum, endian); > if (elements == 4) > *dst[3]++ = read12in32(&buf, &rgbBuffer, > &n_datum, endian); Looks good to me, please commit. Sorry, Carl Eugen
On Thu, Jun 28, 2018 at 12:56:29AM +0200, Carl Eugen Hoyos wrote: > 2018-06-27 20:11 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc>: > > Fixes: null pointer dereference > > Fixes: > > 8946/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5078915222601728 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/dpx.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c > > index f75e2cbbca..cf23bb6ba1 100644 > > --- a/libavcodec/dpx.c > > +++ b/libavcodec/dpx.c > > @@ -395,12 +395,14 @@ static int decode_frame(AVCodecContext *avctx, > > if (elements == 4) > > *dst[3]++ = read16(&buf, endian) >> shift & 0xFFF; > > } else { > > - *dst[2]++ = read12in32(&buf, &rgbBuffer, > > - &n_datum, endian); > > + if (elements >= 3) > > + *dst[2]++ = read12in32(&buf, &rgbBuffer, > > + &n_datum, endian); > > *dst[0]++ = read12in32(&buf, &rgbBuffer, > > &n_datum, endian); > > - *dst[1]++ = read12in32(&buf, &rgbBuffer, > > - &n_datum, endian); > > + if (elements >= 2) > > + *dst[1]++ = read12in32(&buf, &rgbBuffer, > > + &n_datum, endian); > > if (elements == 4) > > *dst[3]++ = read12in32(&buf, &rgbBuffer, > > &n_datum, endian); > > Looks good to me, please commit. will apply thx [...]
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index f75e2cbbca..cf23bb6ba1 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -395,12 +395,14 @@ static int decode_frame(AVCodecContext *avctx, if (elements == 4) *dst[3]++ = read16(&buf, endian) >> shift & 0xFFF; } else { - *dst[2]++ = read12in32(&buf, &rgbBuffer, - &n_datum, endian); + if (elements >= 3) + *dst[2]++ = read12in32(&buf, &rgbBuffer, + &n_datum, endian); *dst[0]++ = read12in32(&buf, &rgbBuffer, &n_datum, endian); - *dst[1]++ = read12in32(&buf, &rgbBuffer, - &n_datum, endian); + if (elements >= 2) + *dst[1]++ = read12in32(&buf, &rgbBuffer, + &n_datum, endian); if (elements == 4) *dst[3]++ = read12in32(&buf, &rgbBuffer, &n_datum, endian);
Fixes: null pointer dereference Fixes: 8946/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5078915222601728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/dpx.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)