Skip to content

Commit 9ccc633

Browse files
committed
avcodec/hevcdec: Avoid only partly skiping duplicate first slices
Fixes: NULL pointer dereference and out of array access Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 This also fixes the return code for explode mode Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5465562) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent d31940f commit 9ccc633

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

Diff for: libavcodec/hevcdec.c

+10-4
Original file line numberDiff line numberDiff line change
@@ -472,6 +472,11 @@ static int hls_slice_header(HEVCContext *s)
472472

473473
// Coded parameters
474474
sh->first_slice_in_pic_flag = get_bits1(gb);
475+
if (s->ref && sh->first_slice_in_pic_flag) {
476+
av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
477+
return 1; // This slice will be skiped later, do not corrupt state
478+
}
479+
475480
if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
476481
s->seq_decode = (s->seq_decode + 1) & 0xff;
477482
s->max_ra = INT_MAX;
@@ -2862,12 +2867,13 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
28622867
ret = hls_slice_header(s);
28632868
if (ret < 0)
28642869
return ret;
2870+
if (ret == 1) {
2871+
ret = AVERROR_INVALIDDATA;
2872+
goto fail;
2873+
}
2874+
28652875

28662876
if (s->sh.first_slice_in_pic_flag) {
2867-
if (s->ref) {
2868-
av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
2869-
goto fail;
2870-
}
28712877
if (s->max_ra == INT_MAX) {
28722878
if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) {
28732879
s->max_ra = s->poc;

0 commit comments

Comments
 (0)