diff mbox series

[FFmpeg-devel,2/4] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel

Message ID 20220815175927.8743-2-michael@niedermayer.cc
State Accepted
Commit 3b51e1992289383aa9f083c88e153e34b6412c89
Headers show
Series [FFmpeg-devel,1/4] avcodec/mpegaudiodec_template: use unsigned shift in handle_crc() | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Aug. 15, 2022, 5:59 p.m. UTC 
This is somewhat redundant with the is_decoded check. Maybe
there is a nicer solution

Fixes: Null pointer dereference
Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevcdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index f1be8af2cd..477d6d9d36 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3498,7 +3498,7 @@  static int hevc_decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         }
     } else {
         /* verify the SEI checksum */
-        if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded &&
+        if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded &&
             s->sei.picture_hash.is_md5) {
             ret = verify_md5(s, s->ref->frame);
             if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) {