[FFmpeg-devel] [PATCH 2/2] avcodec/vp56: Require not any undamaged frame for concealment but one of comparable size

Ronald S. Bultje rsbultje at gmail.com
Thu Mar 9 14:59:37 EET 2017


Hi,

On Wed, Mar 8, 2017 at 10:07 PM, Michael Niedermayer <michael at niedermayer.cc
> wrote:

> Fixes: timeout in 758/clusterfuzz-testcase-4720832028868608
>
> Found-by: continuous fuzzing process https://github.com/google/oss-
> fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/vp56.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
> index 0010408847..bccb424903 100644
> --- a/libavcodec/vp56.c
> +++ b/libavcodec/vp56.c
> @@ -710,7 +710,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx,
> void *data,
>                  int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
>                  if (ret < 0) {
>                      damaged = 1;
> -                    if (!s->have_undamaged_frame) {
> +                    if (s->have_undamaged_frame < s->mb_width *
> s->mb_height) {
>                          s->discard_frame = 1;
>                          return AVERROR_INVALIDDATA;
>                      }
> @@ -732,7 +732,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx,
> void *data,
>      }
>
>      if (!damaged)
> -        s->have_undamaged_frame = 1;
> +        s->have_undamaged_frame = s->mb_width * s->mb_height;


You know very well that this makes the memory issue go away but isn't doing
the right thing if width1!=width2 && height1!=height2 but width1*height1 ==
 width2*height2. This is obviously because vpN codecs up to and including
vp8 don't include scalable MC.

Can you do this right and only allow this if frame/ref width and height
both match, not just their product?

Ronald


More information about the ffmpeg-devel mailing list