diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2019-03-23 20:55:08 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-03-31 23:30:09 +0200 |
commit | f1ecebcdb72b5928b585ec8f07c3847927b4bf1d (patch) | |
tree | 8b60fe7b1fd13b732a6f555c22d5d889e848c771 | |
parent | daca529112d8cefa9d1f661b3493def303ba63c5 (diff) | |
download | ffmpeg-f1ecebcdb72b5928b585ec8f07c3847927b4bf1d.tar.gz |
avcodec/hevcdec: Avoid only partly skiping duplicate first slices
Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304
This also fixes the return code for explode mode
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 54655623a82632e7624714d7b2a3e039dc5faa7e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/hevcdec.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 0dee673dac..afb3b1b554 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -485,6 +485,11 @@ static int hls_slice_header(HEVCContext *s) // Coded parameters sh->first_slice_in_pic_flag = get_bits1(gb); + if (s->ref && sh->first_slice_in_pic_flag) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + return 1; // This slice will be skiped later, do not corrupt state + } + if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { s->seq_decode = (s->seq_decode + 1) & 0xff; s->max_ra = INT_MAX; @@ -2915,6 +2920,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) ret = hls_slice_header(s); if (ret < 0) return ret; + if (ret == 1) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if ( (s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) || @@ -2924,10 +2934,6 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) } if (s->sh.first_slice_in_pic_flag) { - if (s->ref) { - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - goto fail; - } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc; |