From patchwork Thu Jun 4 18:40:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thierry Foucu X-Patchwork-Id: 20150 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id C53CA44A4B2 for ; Thu, 4 Jun 2020 21:47:07 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9F65068AB6F; Thu, 4 Jun 2020 21:47:07 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A227168A361 for ; Thu, 4 Jun 2020 21:47:00 +0300 (EEST) Received: by mail-pg1-f194.google.com with SMTP id e9so3880106pgo.9 for ; Thu, 04 Jun 2020 11:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=6NQcpHz6KuPC5MJQaqb+3DHhKpSacdebErl274XsZms=; b=IPQHeUZBBnsfrJPKlUYV+ClBKMg2nmAb0uXTb/ohDAGaIgq9BVEfCJDGQGF/hKBYMM s+Vp+EHJtWOMiDTKqEINe8PA6lhG+AuQi973bsqrvRMKR5qG7f152LilMlL6tjFCvCMG lHfK25sq5swH9lpm1KcgEXzwdXkywy6TJXr+1eiMGCuvLXBt+ECiSKNwR2KzFwrTQYgZ 8DEb0h7m0mUiuKuj8Eoyh5aV24Q9qxXI2UmeRNDCjqAEvMj3GUwezlwZyp0W6qQs6Bif ig+iuDr3cyTwyLIDKcFaUZBiBj0INt3WrWZgQqSxcgAHeeifZCYDkWQpbNvZfWqNAUfy LqRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=6NQcpHz6KuPC5MJQaqb+3DHhKpSacdebErl274XsZms=; b=A22t0CHjC4RnuJiQvKMF5vYC3IeV0yiiJwjSsrryeshoJVR5i0GYp93kGmpxD7m3lQ Mj86pU6oYlMldhmcPCt7u/YEk1QOla82RugJvaRdnc5tl7013xRfdOi4606sYT7YHD16 HBKrJ7pPK4DaXs2cvIpvnzbXKXvk1Jk1VLg2gSRYLXaHDv3a3xLnj7NvXqle5/1oX6ow w43E1leioLz9+5TqoJKhPuTmxPHPoV5nMiYbi9fKRMbFWRLwE9htDJAVl+tUB1rdI4wz K/wkXLAD7nh3V/JPjZ038oM2uS4yKSVN3HtxIUqgCcdIbcZ06V16ySJURxXI3xTzNY7k 6mJA== X-Gm-Message-State: AOAM530uGjEGxKFFP0E+NNZZsWag6aD/C3rtZvDn4x2tyVbfYzKT/n3J pLcl/m0mjSoMoEhARzBGJ5ltHDoC X-Google-Smtp-Source: ABdhPJzS5m+Bs6Z+ESPTtZYVxJ6/2WVKERdblnsy1g4X+D0Y8Zg4zkOdboyp3ZBKIzLosDj79OpT4w== X-Received: by 2002:a63:dc44:: with SMTP id f4mr5957812pgj.442.1591296038196; Thu, 04 Jun 2020 11:40:38 -0700 (PDT) Received: from tfoucu.mtv.corp.google.com ([2620:0:1000:4001:8e18:4d51:fb1:d54f]) by smtp.gmail.com with ESMTPSA id ft10sm5870013pjb.40.2020.06.04.11.40.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jun 2020 11:40:37 -0700 (PDT) From: Thierry Foucu To: ffmpeg-devel@ffmpeg.org Date: Thu, 4 Jun 2020 11:40:33 -0700 Message-Id: <20200604184033.66758-1-tfoucu@gmail.com> X-Mailer: git-send-email 2.27.0.rc2.251.g90737beb825-goog MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] libavcodec/png_parser.c: fix a use_of_uninitialized_value in target_dec_fuzzer. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Thierry Foucu Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" target_dec_fuzzer is checking for the avpkt.data pointer but if the png parser cannot combine the frame, the poutbuf is not set and so, the avpkt.data is not initialized. --- libavcodec/png_parser.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/png_parser.c b/libavcodec/png_parser.c index 74f2964118..d1b2926154 100644 --- a/libavcodec/png_parser.c +++ b/libavcodec/png_parser.c @@ -99,8 +99,11 @@ static int png_parse(AVCodecParserContext *s, AVCodecContext *avctx, } flush: - if (ff_combine_frame(&ppc->pc, next, &buf, &buf_size) < 0) + if (ff_combine_frame(&ppc->pc, next, &buf, &buf_size) < 0) { + *poutbuf = NULL; + *poutbuf_size = 0; return buf_size; + } ppc->chunk_pos = ppc->pc.frame_start_found = 0;