diff options
| author | James Almer <jamrial@gmail.com> | 2022-03-22 15:35:19 -0300 |
|---|---|---|
| committer | James Almer <jamrial@gmail.com> | 2022-03-28 20:36:04 -0300 |
| commit | fd4121a0aa1906f8cc653a0efc2c85c4a35235fe (patch) | |
| tree | 7557bdc974e14ba66528858252fb2f38fcdd9399 /libavformat/gopher.c | |
| parent | ba595e8d8325c9adfea1a583a19cc99a060f09a5 (diff) | |
| download | ffmpeg-fd4121a0aa1906f8cc653a0efc2c85c4a35235fe.tar.gz | |
avcodec/av1: only set the private context pix_fmt field if get_pixel_format() succeeds
Otherwise get_pixel_format() will not be called when parsing a subsequent Sequence
Header in non hwaccel enabled scenarios, allowing frame parsing when it shouldn't.
This prevents the scenario seqhdr -> frame_hdr/redundant_frame_hdr -> seqhdr ->
redundant_frame_hdr from having the latter redundant frame header parsed as if it
was a frame header by the decoder because the former was discarded.
Since CBS did not discard it, the latter redundant frame header is output with a
zeroed AV1RawFrameHeader struct, which can have undesired results, like division
by zero with fields normally guaranteed to be anything else.
Fixes: division by zero
Fixes: 43769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5392562205097984
Fixes: 43950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5769210217758720
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5670eddf8cd3907f9c0a9e626b5698d27c81c81b)
Diffstat (limited to 'libavformat/gopher.c')
0 files changed, 0 insertions, 0 deletions