From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end()
Date: Mon, 1 Apr 2024 14:23:57 +0200
Message-ID: <GV1P250MB0737DCF49ACD522CF62256ED8F3F2@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20240401020006.12107-3-michael@niedermayer.cc>
Michael Niedermayer:
> Fixes: member access within null pointer of type 'const AVFilmGrainParams' (aka 'const struct AVFilmGrainParams')
> Fixes: 67701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6595117570916352
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/hevcdec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
> index 752459af2d3..2514d522ba5 100644
> --- a/libavcodec/hevcdec.c
> +++ b/libavcodec/hevcdec.c
> @@ -2945,6 +2945,8 @@ static int hevc_frame_end(HEVCContext *s)
> if (out->needs_fg) {
> av_assert0(out->frame_grain->buf[0]);
> fgp = av_film_grain_params_select(out->frame);
> + if (!fgp)
> + return 0;
> switch (fgp->type) {
> case AV_FILM_GRAIN_PARAMS_NONE:
> av_assert0(0);
There seems to be a deeper logic bug here: If there is no usable (as
defined by av_film_grain_params_select()) film grain stuff here, then
the frame_grain frame will be "blank" (may contain e.g. an earlier
frame, but definitely not the one it is supposed to have), but it will
nevertheless be the frame to be output.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-04-01 12:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 2:00 [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 2/3] avcodec/exr: Dont use 64bits to hold 6bits Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end() Michael Niedermayer
2024-04-01 12:23 ` Andreas Rheinhardt [this message]
2024-04-02 21:26 ` [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV1P250MB0737DCF49ACD522CF62256ED8F3F2@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM \
--to=andreas.rheinhardt@outlook.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git