Re: [FFmpeg-devel] [PATCH 4/6] avcodec/rv60dec: Check NEXT/LAST availability

Sat, 07 Dec 2024 23:36:14 -0800 

On Sun, Dec 08, 2024 at 04:57:01AM +0100, Michael Niedermayer wrote:
> Fixes: NULL ptr use
> Fixes: 
> 378634700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5008344043028480
> 
> Found-by: continuous fuzzing process 
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <[email protected]>
> ---
>  libavcodec/rv60dec.c | 17 +++++++++++++----
>  1 file changed, 13 insertions(+), 4 deletions(-)
> 
> diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
> index 4cc71dcd6ee..528f91acf05 100644
> --- a/libavcodec/rv60dec.c
> +++ b/libavcodec/rv60dec.c
> @@ -1745,15 +1745,24 @@ static int decode_cu_r(RV60Context * s, AVFrame * 
> frame, ThreadContext * thread,
>              bx = mv_x << 2;
>              by = mv_y << 2;
>  
> +            if (!(mv.mvref&2)) {

hi michael. please insert some space around the & symbol

> +                if (!s->last_frame[LAST_PIC]->data[0]) {
> +                    av_log(s->avctx, AV_LOG_ERROR, "missing reference 
> frame\n");
> +                    return AVERROR_INVALIDDATA;
> +                }
> +            }
> +            if (mv.mvref & 6) {
> +                if (!s->last_frame[NEXT_PIC]->data[0]) {
> +                    av_log(s->avctx, AV_LOG_ERROR, "missing reference 
> frame\n");
> +                    return AVERROR_INVALIDDATA;
> +                }
> +            }
> +
>              switch (mv.mvref) {
>              case MVREF_REF0:
>                  mc(s, frame->data, frame->linesize, s->last_frame[LAST_PIC], 
> bx, by, bw, bh, mv.f_mv, 0);
>                  break;
>              case MVREF_REF1:
> -                if (!s->last_frame[NEXT_PIC]->data[0]) {
> -                    av_log(s->avctx, AV_LOG_ERROR, "missing reference 
> frame\n");
> -                    return AVERROR_INVALIDDATA;
> -                }
>                  mc(s, frame->data, frame->linesize, s->last_frame[NEXT_PIC], 
> bx, by, bw, bh, mv.f_mv, 0);
>                  break;
>              case MVREF_BREF:

suggest also setting enum MVREF_NONE = 0 higher up in the file, so it is clear
to readers these enums are ordered deliberately.

enum MVRefEnum {
      MVREF_NONE = 0
      MVREF_REF0,

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".

Reply via email to