| Message ID | 20191115231053.2569-2-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | d73f06270600c37c74beeceac37f593838ced383 |
| Headers | show |
> On Nov 15, 2019, at 3:10 PM, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: out of array access > Fixes: 18788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVVIDEO_fuzzer-6254863113781248 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dvdec.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c > index 578d7f505f..c526091eb4 100644 > --- a/libavcodec/dvdec.c > +++ b/libavcodec/dvdec.c > @@ -272,11 +272,10 @@ static inline void bit_copy(PutBitContext *pb, GetBitContext *gb) > static av_always_inline void put_block_8x4(int16_t *block, uint8_t *av_restrict p, int stride) > { > int i, j; > - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; > > for (i = 0; i < 4; i++) { > for (j = 0; j < 8; j++) > - p[j] = cm[block[j]]; > + p[j] = av_clip_uint8(block[j]); > block += 8; > p += stride; > } LGTM — Baptiste
On Mon, Nov 18, 2019 at 09:02:48AM -0800, Baptiste Coudurier wrote: > > > On Nov 15, 2019, at 3:10 PM, Michael Niedermayer <michael@niedermayer.cc> wrote: > > > > Fixes: out of array access > > Fixes: 18788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVVIDEO_fuzzer-6254863113781248 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/dvdec.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c > > index 578d7f505f..c526091eb4 100644 > > --- a/libavcodec/dvdec.c > > +++ b/libavcodec/dvdec.c > > @@ -272,11 +272,10 @@ static inline void bit_copy(PutBitContext *pb, GetBitContext *gb) > > static av_always_inline void put_block_8x4(int16_t *block, uint8_t *av_restrict p, int stride) > > { > > int i, j; > > - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; > > > > for (i = 0; i < 4; i++) { > > for (j = 0; j < 8; j++) > > - p[j] = cm[block[j]]; > > + p[j] = av_clip_uint8(block[j]); > > block += 8; > > p += stride; > > } > > LGTM will apply thx [...]
diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c index 578d7f505f..c526091eb4 100644 --- a/libavcodec/dvdec.c +++ b/libavcodec/dvdec.c @@ -272,11 +272,10 @@ static inline void bit_copy(PutBitContext *pb, GetBitContext *gb) static av_always_inline void put_block_8x4(int16_t *block, uint8_t *av_restrict p, int stride) { int i, j; - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; for (i = 0; i < 4; i++) { for (j = 0; j < 8; j++) - p[j] = cm[block[j]]; + p[j] = av_clip_uint8(block[j]); block += 8; p += stride; }
Fixes: out of array access Fixes: 18788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVVIDEO_fuzzer-6254863113781248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/dvdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)