| Message ID | 20240401020006.12107-3-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
Michael Niedermayer: > Fixes: member access within null pointer of type 'const AVFilmGrainParams' (aka 'const struct AVFilmGrainParams') > Fixes: 67701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6595117570916352 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/hevcdec.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c > index 752459af2d3..2514d522ba5 100644 > --- a/libavcodec/hevcdec.c > +++ b/libavcodec/hevcdec.c > @@ -2945,6 +2945,8 @@ static int hevc_frame_end(HEVCContext *s) > if (out->needs_fg) { > av_assert0(out->frame_grain->buf[0]); > fgp = av_film_grain_params_select(out->frame); > + if (!fgp) > + return 0; > switch (fgp->type) { > case AV_FILM_GRAIN_PARAMS_NONE: > av_assert0(0); There seems to be a deeper logic bug here: If there is no usable (as defined by av_film_grain_params_select()) film grain stuff here, then the frame_grain frame will be "blank" (may contain e.g. an earlier frame, but definitely not the one it is supposed to have), but it will nevertheless be the frame to be output. - Andreas
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 752459af2d3..2514d522ba5 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2945,6 +2945,8 @@ static int hevc_frame_end(HEVCContext *s) if (out->needs_fg) { av_assert0(out->frame_grain->buf[0]); fgp = av_film_grain_params_select(out->frame); + if (!fgp) + return 0; switch (fgp->type) { case AV_FILM_GRAIN_PARAMS_NONE: av_assert0(0);
Fixes: member access within null pointer of type 'const AVFilmGrainParams' (aka 'const struct AVFilmGrainParams') Fixes: 67701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6595117570916352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevcdec.c | 2 ++ 1 file changed, 2 insertions(+)