| Message ID | 20240922215645.1182935-8-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,01/10] tools/target_dec_fuzzer: Add threshold for SRGC | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
Hi, On Mon, Sep 23, 2024 at 12:04 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: out of array read > Fixes: 71726/clusterfuzz-testcase-ffmpeg_SWS_fuzzer-5876893532880896 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libswscale/swscale_unscaled.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c > index dc1d5f35932..d403c953cc7 100644 > --- a/libswscale/swscale_unscaled.c > +++ b/libswscale/swscale_unscaled.c > @@ -230,6 +230,8 @@ static void nv24_to_yuv420p_chroma(uint8_t *dst1, int dstStride1, > const uint8_t *src2 = src + srcStride; > // average 4 pixels into 1 (interleaved U and V) > for (int y = 0; y < h; y += 2) { > + if (y + 1 == h) > + src2 = src1; > for (int x = 0; x < w; x++) { > dst1[x] = (src1[4 * x + 0] + src1[4 * x + 2] + > src2[4 * x + 0] + src2[4 * x + 2]) >> 2; I would prefer to keep nv24_to_yuv420p_chroma() expecting height to be a multiple of 2. We could add && !(c->srcH & 1) before selecting nv24ToYuv420Wrapper. Ramiro
diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index dc1d5f35932..d403c953cc7 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -230,6 +230,8 @@ static void nv24_to_yuv420p_chroma(uint8_t *dst1, int dstStride1, const uint8_t *src2 = src + srcStride; // average 4 pixels into 1 (interleaved U and V) for (int y = 0; y < h; y += 2) { + if (y + 1 == h) + src2 = src1; for (int x = 0; x < w; x++) { dst1[x] = (src1[4 * x + 0] + src1[4 * x + 2] + src2[4 * x + 0] + src2[4 * x + 2]) >> 2;
Fixes: out of array read Fixes: 71726/clusterfuzz-testcase-ffmpeg_SWS_fuzzer-5876893532880896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libswscale/swscale_unscaled.c | 2 ++ 1 file changed, 2 insertions(+)