[FFmpeg-cvslog] avcodec/av1dec: partially clean state on frame decoding errors
James Almer
git at videolan.org
Sun Oct 4 16:36:32 EEST 2020
ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Sun Oct 4 10:21:59 2020 -0300| [05872c67a4cad1f28c41121314d7cf76c1fe3163] | committer: James Almer
avcodec/av1dec: partially clean state on frame decoding errors
Fixes: member access within null pointer of type 'TileGroupInfo' (aka 'struct TileGroupInfo')
Fixes: 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=05872c67a4cad1f28c41121314d7cf76c1fe3163
---
libavcodec/av1dec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
index 07026b7aeb..1b09dc183a 100644
--- a/libavcodec/av1dec.c
+++ b/libavcodec/av1dec.c
@@ -686,6 +686,7 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame,
ret = set_context_with_sequence(avctx, s->raw_seq);
if (ret < 0) {
av_log(avctx, AV_LOG_ERROR, "Failed to set context.\n");
+ s->raw_seq = NULL;
goto end;
}
@@ -694,6 +695,7 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame,
if (ret < 0) {
av_log(avctx, AV_LOG_ERROR,
"Failed to get pixel format.\n");
+ s->raw_seq = NULL;
goto end;
}
}
@@ -703,6 +705,7 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame,
unit->data_size);
if (ret < 0) {
av_log(avctx, AV_LOG_ERROR, "HW accel decode params fail.\n");
+ s->raw_seq = NULL;
goto end;
}
}
@@ -841,6 +844,8 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame,
end:
ff_cbs_fragment_reset(&s->current_obu);
+ if (ret < 0)
+ s->raw_frame_header = NULL;
return ret;
}
More information about the ffmpeg-cvslog
mailing list