diff options
author | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2020-05-27 10:54:44 +0200 |
---|---|---|
committer | Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | 2022-03-31 10:48:50 +0200 |
commit | c12e8c97b13f33897bd9c6095432c9740504f5c7 (patch) | |
tree | aadfd59d238698743e8750877a2699e065d5b11d /libavcodec | |
parent | ab25b6aee6295b6fb77c076c85c89df9f2af08e7 (diff) | |
download | ffmpeg-c12e8c97b13f33897bd9c6095432c9740504f5c7.tar.gz |
avcodec/vp9_superframe_bsf: Check for existence of data before reading it
Packets without data need to be handled specially in order to avoid
undefined reads. Pass these packets through unchanged in case there
are no cached packets* and error out in case there are cached packets:
Returning the packet would mess with the order of the packets;
if one returned the zero-sized packet before the superframe that will
be created from the packets in the cache, the zero-sized packet would
overtake the packets in the cache; if one returned the packet later,
the packets that complete the superframe will overtake the zero-sized
packet.
*: This case e.g. encompasses the scenario of updated extradata
side-data at the end.
Fixes: Out of array read
Fixes: 45722/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_fuzzer-5173378975137792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/vp9_superframe_bsf.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/libavcodec/vp9_superframe_bsf.c b/libavcodec/vp9_superframe_bsf.c index 349d43d62e..a0978c7ef0 100644 --- a/libavcodec/vp9_superframe_bsf.c +++ b/libavcodec/vp9_superframe_bsf.c @@ -108,6 +108,15 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *pkt) if (res < 0) return res; + if (!pkt->size) { + /* In case the cache is empty we can pass side-data-only packets + * through unchanged. Otherwise, such a packet makes no sense. */ + if (!s->n_cache) + return 0; + res = AVERROR_INVALIDDATA; + goto done; + } + marker = pkt->data[pkt->size - 1]; if ((marker & 0xe0) == 0xc0) { int nbytes = 1 + ((marker >> 3) & 0x3); |