Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304
This also fixes the return code for explode mode
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 54655623a82632e7624714d7b2a3e039dc5faa7e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
... | ... |
@@ -472,6 +472,11 @@ static int hls_slice_header(HEVCContext *s) |
472 | 472 |
|
473 | 473 |
// Coded parameters |
474 | 474 |
sh->first_slice_in_pic_flag = get_bits1(gb); |
475 |
+ if (s->ref && sh->first_slice_in_pic_flag) { |
|
476 |
+ av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); |
|
477 |
+ return 1; // This slice will be skiped later, do not corrupt state |
|
478 |
+ } |
|
479 |
+ |
|
475 | 480 |
if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { |
476 | 481 |
s->seq_decode = (s->seq_decode + 1) & 0xff; |
477 | 482 |
s->max_ra = INT_MAX; |
... | ... |
@@ -2862,12 +2867,13 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) |
2862 | 2862 |
ret = hls_slice_header(s); |
2863 | 2863 |
if (ret < 0) |
2864 | 2864 |
return ret; |
2865 |
+ if (ret == 1) { |
|
2866 |
+ ret = AVERROR_INVALIDDATA; |
|
2867 |
+ goto fail; |
|
2868 |
+ } |
|
2869 |
+ |
|
2865 | 2870 |
|
2866 | 2871 |
if (s->sh.first_slice_in_pic_flag) { |
2867 |
- if (s->ref) { |
|
2868 |
- av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); |
|
2869 |
- goto fail; |
|
2870 |
- } |
|
2871 | 2872 |
if (s->max_ra == INT_MAX) { |
2872 | 2873 |
if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { |
2873 | 2874 |
s->max_ra = s->poc; |