From patchwork Fri Sep 25 14:43:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 22583 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 01B2D44B0B7 for ; Fri, 25 Sep 2020 17:43:54 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E5B5668B669; Fri, 25 Sep 2020 17:43:53 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2F0F268B48C for ; Fri, 25 Sep 2020 17:43:48 +0300 (EEST) Received: by mail-qk1-f170.google.com with SMTP id c2so2953613qkf.10 for ; Fri, 25 Sep 2020 07:43:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=OwhDz9tlM5pCUaqnTvTA5HwYzpzT5yBGRR2SOTDM1N4=; b=VLMrwWyggJMiS4nZMf5nOKykuZchxmlUoRght49YjrmqyQMgA7dEkwZbxeR3fZ6SZl T3A7L14wzt9fLhYz3sUvQgpS4wG2MBC47ZNfFwpIIMGWQjILk06LTEu+/138zLpfa5rL /X+7LV/BqHWHaHRTJgnYTjRk8MmxZraOB4EoUN/e2FKldn7/k1iRGsMQ92o+PtUkl6Vs kWjfABrBh1Dj77xZ4BnIEkn3z3tNq671+SfJHvd5YZUKfFVwQDf8Tpb4+m7T650HdONs 7DZEe9VT4xi8UEkARL2xDWrhmoPc7t4ySFnyFGFihdDpM9Q+a+GHi4Ry4L/GL/ZClByq 9BWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OwhDz9tlM5pCUaqnTvTA5HwYzpzT5yBGRR2SOTDM1N4=; b=e7S5lhBbWxSm4OyqnyFmRoOwuKMq9TbH2Ipa2LBsYLGwDYFpQMstU8dpuVf1Iv1TLG JGek7i36W/LxP9OlTEeTPM0qRvv64Sxq7ZAnKDtDCaDh747LhK8YunS4hGY4+dTUiCjS 5HgcXxzk+oSz7ftfBAOZ0eOHP+CyQoJd2x8QG70wYr5KkP8vaxSqQbGusxEAZMj3LXFY /QELaE6FoSG9RAC4CjHQj3jSgTd23hqas7nuy7XjVeDPY6/GazSnJo84nn5Qgzu3SzEQ jUSMNLpiUy/veUFIPaLJ71Obd0lXQ79phjGsaxkW9hPFquEqAul+ixloKbt9bev4upWG aMyA== X-Gm-Message-State: AOAM533E+YiXpeSUuDaC6TzKCfZ0i7pP/W7MrVvWifLitn4Qjpk/8hfF FHvt1f6uG73KWihj0T48M16NwV75VByvzQ== X-Google-Smtp-Source: ABdhPJx0GCKhWJOBl1KC5BvsweFRYm0E45sDRTvr9HDrL8fo5se7sRzGPVhBuZEf1Iids+zlT3+YNA== X-Received: by 2002:a37:64d4:: with SMTP id y203mr276631qkb.359.1601045026549; Fri, 25 Sep 2020 07:43:46 -0700 (PDT) Received: from localhost.localdomain ([191.83.208.67]) by smtp.gmail.com with ESMTPSA id x126sm1792498qkb.101.2020.09.25.07.43.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Sep 2020 07:43:45 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Fri, 25 Sep 2020 11:43:18 -0300 Message-Id: <20200925144318.6194-8-jamrial@gmail.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200925144318.6194-1-jamrial@gmail.com> References: <20200925144318.6194-1-jamrial@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 8/8] avcodec/av1dec: clean state on frame decoding errors X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: member access within null pointer of type 'TileGroupInfo' (aka 'struct TileGroupInfo') Fixes: 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- libavcodec/av1dec.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 07026b7aeb..e5cfc3f2f2 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -381,6 +381,20 @@ fail: return AVERROR(ENOMEM); } +static void av1_decode_flush(AVCodecContext *avctx) +{ + AV1DecContext *s = avctx->priv_data; + + for (int i = 0; i < FF_ARRAY_ELEMS(s->ref); i++) + av1_frame_unref(avctx, &s->ref[i]); + + av1_frame_unref(avctx, &s->cur_frame); + s->raw_frame_header = NULL; + s->raw_seq = NULL; + + ff_cbs_flush(s->cbc); +} + static av_cold int av1_decode_free(AVCodecContext *avctx) { AV1DecContext *s = avctx->priv_data; @@ -841,23 +855,11 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame, end: ff_cbs_fragment_reset(&s->current_obu); + if (ret < 0) + av1_decode_flush(avctx); return ret; } -static void av1_decode_flush(AVCodecContext *avctx) -{ - AV1DecContext *s = avctx->priv_data; - - for (int i = 0; i < FF_ARRAY_ELEMS(s->ref); i++) - av1_frame_unref(avctx, &s->ref[i]); - - av1_frame_unref(avctx, &s->cur_frame); - s->raw_frame_header = NULL; - s->raw_seq = NULL; - - ff_cbs_flush(s->cbc); -} - AVCodec ff_av1_decoder = { .name = "av1", .long_name = NULL_IF_CONFIG_SMALL("Alliance for Open Media AV1"),