From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id CA0404C38E for ; Thu, 6 Feb 2025 20:25:22 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 512CC68B87F; Thu, 6 Feb 2025 22:25:18 +0200 (EET) Received: from sender2-op-o18.zoho.eu (sender2-op-o18.zoho.eu [136.143.171.18]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 98A7A68B646 for ; Thu, 6 Feb 2025 22:25:11 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; t=1738873507; cv=none; d=zohomail.eu; s=zohoarc; b=UxchHRkoK/VvYEoXfb4S2bu8Rppkmr/rLwqSfZA4y/LzjInNLjmN1jWzzsI2q33pfQkIy3AWJWRoILjdIjDrD1yzptR2ZTms81o9vgNOcvPAjvv6OZrIB08jIVuwnh952d3iKwiJA6NLuZQJC2ZY864XFMp/jsPSN/p3wGhnzFw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1738873507; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=FIkoLD6LnUZJ0uVvIAwsQvIYTlTlPsJPu+mSVOt78Nc=; b=JPhdHBWDJr4cgtnAshG5NdrbHqLnajyiDhAfVjxJj5SRZGZ/cRa8r/kawzDGQK829BgTbP+JYGuZsLV8ldTN+DRUx+fo4tw5pO8TeFDO0sbiAij8odXPrD+GVqVh9Y+X3i7bpVdmlMGNstkzMIeYOp4ASoLy6UINDjgg62ndRkc= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=frankplowman.com; spf=pass smtp.mailfrom=post@frankplowman.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1738873507; s=zmail; d=frankplowman.com; i=post@frankplowman.com; h=Message-ID:Date:Date:MIME-Version:Subject:Subject:To:To:References:From:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To:Cc; bh=FIkoLD6LnUZJ0uVvIAwsQvIYTlTlPsJPu+mSVOt78Nc=; b=Khgd9BZYQovuCefGLPgeF2BKy3Mwr8ys5bt/mHxthYoSS6k4dbMbP3IpOFHGALsE bxuvzBqAYz4EDJDl6ZY72kmuVxHDigIpNyzPjsZ27SLsseeL7kyscpkjbThnP1nNcKW nnhhtSm9MQxQGm9B0n7gIYH09CUIig8yCAQKr0NU= Received: by mx.zoho.eu with SMTPS id 1738873504257116.04798846569986; Thu, 6 Feb 2025 21:25:04 +0100 (CET) Message-ID: <29d07dbe-375d-4540-9204-e5984474ff26@frankplowman.com> Date: Thu, 6 Feb 2025 20:25:03 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-GB To: ffmpeg-devel@ffmpeg.org References: <20250202211721.1469377-1-michael@niedermayer.cc> <20250202211721.1469377-2-michael@niedermayer.cc> From: Frank Plowman In-Reply-To: <20250202211721.1469377-2-michael@niedermayer.cc> X-ZohoMailClient: External Subject: Re: [FFmpeg-devel] [PATCH 2/2] avcodec/vvc/refs: Check content_ref in set_pict_type() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 02/02/2025 21:17, Michael Niedermayer wrote: > Fixes: 390565846/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4990028521996288 > Fixes: Null pointer dereference > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/vvc/refs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c > index 486515d06db..1cfca482047 100644 > --- a/libavcodec/vvc/refs.c > +++ b/libavcodec/vvc/refs.c > @@ -186,7 +186,7 @@ static void set_pict_type(AVFrame *frame, const VVCContext *s, const VVCFrameCon > const CodedBitstreamFragment *current = &s->current_frame; > for (int i = 0; i < current->nb_units && !has_b; i++) { > const CodedBitstreamUnit *unit = current->units + i; > - if (unit->type <= VVC_RSV_IRAP_11) { > + if (unit->content_ref && unit->type <= VVC_RSV_IRAP_11) { > const H266RawSliceHeader *rsh = unit->content_ref; > has_inter |= !IS_I(rsh); > has_b |= IS_B(rsh); I did a little more sniffing around this. unit->content and unit->content_ref are NULL for NAL units with a type code corresponding with a reserved or unspecified NAL unit type. Due to the existing condition on the NAL unit type being a VCL NAL unit type, this means that unit->type will be in [4..6], which are all reserved. Perhaps we might want to add a warning message or something similar letting the user know some data is being skipped, particularly seeing as we are talking about video data here? On the other hand, if the loglevel is set to verbose or above, cbs_read_fragment_content will produce some log output which eludes to this, although it is a bit obtuse as codec-specific information is not available there. In any case, I agree that adding the extra check on unit->content_ref is correct. Thank you, Frank _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".