From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 3/5] avcodec/decode: Check progress before dereferencing
Date: Tue, 25 Jun 2024 21:51:32 +0200
Message-ID: <GV1SPRMB0034743CA4787466D1CC1C7C8FD52@GV1SPRMB0034.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20240625194705.GH4991@pb2>
Michael Niedermayer:
> On Sat, Apr 27, 2024 at 01:13:54PM +0200, Andreas Rheinhardt wrote:
>> Michael Niedermayer:
>>> Fixes: NULL pointer dereference
>>> Fixes: 68192/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP8_fuzzer-6180311026171904
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavcodec/decode.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/libavcodec/decode.c b/libavcodec/decode.c
>>> index d031b1ca176..a6131941f43 100644
>>> --- a/libavcodec/decode.c
>>> +++ b/libavcodec/decode.c
>>> @@ -1744,6 +1744,8 @@ void ff_progress_frame_report(ProgressFrame *f, int n)
>>>
>>> void ff_progress_frame_await(const ProgressFrame *f, int n)
>>> {
>>> + if (!f->progress)
>>> + return;
>>> ff_thread_progress_await(&f->progress->progress, n);
>>> }
>>>
>>
>> Can I get the sample? I see two places in VP8 where the VP8Frame
>> pointers are set before the actual frame inside it is properly allocated.
>>
>> (Actually, it was intended for this API to not support waiting on
>> non-existent frames (i.e. let the caller check for this; in most
>> instances, it is already guaranteed that the frame one waits one exists,
>> so this is unnecessary for them).)
>
> did you receive the sample i sent you in april ?
>
> any update on this ?
> its still crashing without this patch
>
> Running: 68192/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP8_fuzzer-6180311026171904
> libavcodec/decode.c:1766:44: runtime error: member access within null pointer of type 'struct ProgressInternal'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/decode.c:1766:44 in
> libavcodec/threadprogress.c:72:36: runtime error: member access within null pointer of type 'ThreadProgress' (aka 'struct ThreadProgress')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/threadprogress.c:72:36 in
>
Totally forgot about this. Will look into it. Thanks for the reminder.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-06-25 20:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-26 23:52 [FFmpeg-devel] [PATCH 1/5] avcodec/pngdec: Check last AVFrame before deref Michael Niedermayer
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 2/5] avcodec/vp3: Call ff_progress_frame_unref() before ff_progress_frame_get_buffer() Michael Niedermayer
2024-04-27 9:47 ` Andreas Rheinhardt
2024-04-27 18:15 ` Michael Niedermayer
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 3/5] avcodec/decode: Check progress before dereferencing Michael Niedermayer
2024-04-27 11:13 ` Andreas Rheinhardt
2024-06-25 19:47 ` Michael Niedermayer
2024-06-25 19:51 ` Andreas Rheinhardt [this message]
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Check ref frame Michael Niedermayer
2024-04-27 10:14 ` Andreas Rheinhardt
2024-04-27 18:23 ` Michael Niedermayer
2024-04-26 23:52 ` [FFmpeg-devel] [PATCH 5/5] avformat/mov: Check if heif item name is already allocated Michael Niedermayer
2024-04-26 23:57 ` James Almer
2024-04-27 0:03 ` Michael Niedermayer
2024-04-27 0:23 ` James Almer
2024-04-27 23:19 ` James Almer
2024-04-27 9:36 ` [FFmpeg-devel] [PATCH 1/5] avcodec/pngdec: Check last AVFrame before deref Andreas Rheinhardt
2024-04-27 18:13 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=GV1SPRMB0034743CA4787466D1CC1C7C8FD52@GV1SPRMB0034.EURP250.PROD.OUTLOOK.COM \
--to=andreas.rheinhardt@outlook.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git