Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/hevcdec: Avoid only partly skiping duplicate first slices
Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304

This also fixes the return code for explode mode

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5465562)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Mar 27, 2019
1 parent d31940f commit 9ccc633
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions libavcodec/hevcdec.c
Expand Up @@ -472,6 +472,11 @@ static int hls_slice_header(HEVCContext *s)

// Coded parameters
sh->first_slice_in_pic_flag = get_bits1(gb);
if (s->ref && sh->first_slice_in_pic_flag) {
av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
return 1; // This slice will be skiped later, do not corrupt state
}

if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
s->seq_decode = (s->seq_decode + 1) & 0xff;
s->max_ra = INT_MAX;
Expand Down Expand Up @@ -2862,12 +2867,13 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
ret = hls_slice_header(s);
if (ret < 0)
return ret;
if (ret == 1) {
ret = AVERROR_INVALIDDATA;
goto fail;
}


if (s->sh.first_slice_in_pic_flag) {
if (s->ref) {
av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
goto fail;
}
if (s->max_ra == INT_MAX) {
if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) {
s->max_ra = s->poc;
Expand Down

0 comments on commit 9ccc633

Please sign in to comment.