| Message ID | 20230913234734.22402-2-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 2e04d35c69e6f8b4bdb46caa4a880c7c2ba3b141 |
| Headers | show |
| Series | [FFmpeg-devel,1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA | expand |
| Context | Check | Description |
|---|---|---|
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
On Thu, Sep 14, 2023 at 1:48 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: use after free > Fixes: > 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/vlc.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c > index b353d2e86c2..f4bab0ae529 100644 > --- a/libavcodec/vlc.c > +++ b/libavcodec/vlc.c > @@ -471,10 +471,13 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, > VLC_MULTI *multi, int nb_bits, int > goto fail; > } > } > - ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf); > + ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf); > if (ret < 0) > goto fail; > - return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, > logctx); > + ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, > logctx); > + if (buf != localbuf) > + av_free(buf); > + return ret; > fail: > if (buf != localbuf) > av_free(buf); > -- > 2.17.1 > > LGTM > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index b353d2e86c2..f4bab0ae529 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -471,10 +471,13 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int goto fail; } } - ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf); + ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf); if (ret < 0) goto fail; - return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx); + ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx); + if (buf != localbuf) + av_free(buf); + return ret; fail: if (buf != localbuf) av_free(buf);
Fixes: use after free Fixes: 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/vlc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)