Traneptora/FFmpeg
1
Fork 0
forked from FFmpeg/FFmpeg
Code Pull requests Activity

avcodec/rv60dec: Check NEXT/LAST availability

Browse source 
Fixes: NULL ptr use
Fixes: 378634700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5008344043028480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2024-12-08 02:07:52 +01:00
parent 2336fc44ac
commit 61ff3047c5
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 14 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
libavcodec/rv60dec.c
View file

@ -61,7 +61,7 @@ enum IntraMode {
};
enum MVRefEnum {
MVREF_NONE,
MVREF_NONE = 0,
MVREF_REF0,
MVREF_REF1,
MVREF_BREF,
@ -1745,15 +1745,24 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread,
bx = mv_x << 2;
by = mv_y << 2;
if (!(mv.mvref & 2)) {
if (!s->last_frame[LAST_PIC]->data[0]) {
av_log(s->avctx, AV_LOG_ERROR, "missing reference frame\n");
return AVERROR_INVALIDDATA;
}
}
if (mv.mvref & 6) {
if (!s->last_frame[NEXT_PIC]->data[0]) {
av_log(s->avctx, AV_LOG_ERROR, "missing reference frame\n");
return AVERROR_INVALIDDATA;
}
}
switch (mv.mvref) {
case MVREF_REF0:
mc(s, frame->data, frame->linesize, s->last_frame[LAST_PIC], bx, by, bw, bh, mv.f_mv, 0);
break;
case MVREF_REF1:
if (!s->last_frame[NEXT_PIC]->data[0]) {
av_log(s->avctx, AV_LOG_ERROR, "missing reference frame\n");
return AVERROR_INVALIDDATA;
}
mc(s, frame->data, frame->linesize, s->last_frame[NEXT_PIC], bx, by, bw, bh, mv.f_mv, 0);
break;
case MVREF_BREF: