[FFmpeg-devel] [PATCH 03/11] avcodec/aac/aacdec: Check if frame is allocated in frame_configure_elements()

Michael Niedermayer michael at niedermayer.cc
Sun Sep 22 16:46:39 EEST 2024 

On Mon, Jul 01, 2024 at 01:12:42AM +0200, Michael Niedermayer wrote:
> I did not investigate exactly why frame is NULL, happy to provide the sample
> if someone wants to investigate further
> 
> Fixes: NULL pointer dereference
> Fixes: 69893/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4965255361396736
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/aac/aacdec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
> index ea2ba84a80c..6a70c69034c 100644
> --- a/libavcodec/aac/aacdec.c
> +++ b/libavcodec/aac/aacdec.c
> @@ -186,6 +186,9 @@ static int frame_configure_elements(AVCodecContext *avctx)
>          }
>      }
>  
> +    if (!ac->frame)
> +        return AVERROR_INVALIDDATA;
> +
>      /* get output buffer */
>      av_frame_unref(ac->frame);
>      if (!avctx->ch_layout.nb_channels)
> -- 
> 2.45.2

I now see this is a aac_usac case, ccing lynne

libavcodec/aac/aacdec.c:195:16: runtime error: member access within null pointer of type 'struct AVFrame'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/aac/aacdec.c:195:16 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==532649==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x0000004dec98 bp 0x7ffd9bed44d0 sp 0x7ffd9bed4430 T0)
==532649==The signal is caused by a WRITE memory access.
==532649==Hint: address points to the zero page.
    #0 0x4dec97 in frame_configure_elements ffmpeg/libavcodec/aac/aacdec.c:195:27
    #1 0x4da545 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:518:20
    #2 0x4e0070 in ff_aac_get_che ffmpeg/libavcodec/aac/aacdec.c:609:13
    #3 0x571f99 in ff_aac_usac_reset_state ffmpeg/libavcodec/aac/aacdec_usac.c:307:15
    #4 0x577d07 in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:552:11
    #5 0x500d85 in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1051:20
    #6 0x4e74fc in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1095:12
    #7 0x4e5c77 in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1189:20
    #8 0x54782e in ff_aac_decode_init_float ffmpeg/libavcodec/aac/aacdec_float.c:181:12
    #9 0x66d3fe in avcodec_open2 ffmpeg/libavcodec/avcodec.c:327:19
    #10 0x4cffa5 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:468:15

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240922/77105022/attachment.sig>

More information about the ffmpeg-devel mailing list