[FFmpeg-devel] [PATCH] avcodec/decode: Clear format on ff_get_buffer() failure
Michael Niedermayer
michael at niedermayer.cc
Tue Mar 24 22:23:58 EET 2020
On Tue, Mar 24, 2020 at 10:59:21AM +0100, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2020-03-24 01:41:43)
> > Fixes: out of array access
> > Fixes: 21193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5125168956702720
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/decode.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/libavcodec/decode.c b/libavcodec/decode.c
> > index af6bb3f952..fb22ef0ef3 100644
> > --- a/libavcodec/decode.c
> > +++ b/libavcodec/decode.c
> > @@ -1972,6 +1972,7 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
> > if (ret < 0) {
> > av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
> > frame->width = frame->height = 0;
> > + frame->format = -1;
>
> This looks ad-hoc. And also unnecessary, since get_buffer_internal() is
> already calling av_frame_unref() on failure.
> Seems it's just missing the cleanup goto on ff_decode_frame_props()
> failure.
will post a patch to fix that cleanup but i have to say that i
feel a bit uneasy that a fix to out of array access is "not forgetting
cleanup on any path"
Ill add a assert so if another path leads to this, it at least gets
stoped/clearly caught.
Thanks
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200324/73c28321/attachment.sig>
More information about the ffmpeg-devel
mailing list