[FFmpeg-devel] [PATCH] avcodec/webp: Reinitilaize VP8 decoder on pixel format mismatch

Michael Niedermayer michael at niedermayer.cc
Wed May 10 04:24:18 EEST 2017 

On Tue, May 09, 2017 at 09:08:08PM -0400, Ronald S. Bultje wrote:
> Hi,
> 
> On Tue, May 9, 2017 at 8:37 PM, Michael Niedermayer <michael at niedermayer.cc>
> wrote:
> 
> > Fixes: out of array access
> > Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632
> > Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-
> > fuzz/tree/master/targets/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/webp.c | 9 +++++++--
> >  1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/webp.c b/libavcodec/webp.c
> > index 16c3ae2662..23ed4bc26f 100644
> > --- a/libavcodec/webp.c
> > +++ b/libavcodec/webp.c
> > @@ -1330,12 +1330,17 @@ static int vp8_lossy_decode_frame(AVCodecContext
> > *avctx, AVFrame *p,
> >      WebPContext *s = avctx->priv_data;
> >      AVPacket pkt;
> >      int ret;
> > +    enum AVPixelFormat wanted_pix_fmt = s->has_alpha ?
> > AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
> > +
> > +    if (s->initialized && wanted_pix_fmt != avctx->pix_fmt) {
> > +        ff_vp8_decode_free(avctx);
> > +        s->initialized = 0;
> > +    }
> >
> >      if (!s->initialized) {
> >          ff_vp8_decode_init(avctx);
> >          s->initialized = 1;
> > -        if (s->has_alpha)
> > -            avctx->pix_fmt = AV_PIX_FMT_YUVA420P;
> > +        avctx->pix_fmt = wanted_pix_fmt;
> >      }
> >      s->lossless = 0;
> 
> 
> What is the out of array access? webp is intra only and the only thing that
> is initialized with memory in that call is reference frames. What's going
> on here?

webp uses the same context as VP8, and it changes the pixel format
as it needs. Vp8 doesnt work if its format is changed under its feet

the reinit seemed reasonable cleanish to handle it. There are a few
other ways the same can be achived

Do you have a better idea or see something missing ?

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170510/43dece03/attachment.sig>

More information about the ffmpeg-devel mailing list