mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/hnm4video: Forward errors of decode_interframe_v4()
Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
a3adc3b6a0
commit
9af8ce754b
|
@ -143,7 +143,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
|
static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
|
||||||
{
|
{
|
||||||
Hnm4VideoContext *hnm = avctx->priv_data;
|
Hnm4VideoContext *hnm = avctx->priv_data;
|
||||||
GetByteContext gb;
|
GetByteContext gb;
|
||||||
|
@ -162,7 +162,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
|
||||||
if (tag == 0) {
|
if (tag == 0) {
|
||||||
if (writeoffset + 2 > hnm->width * hnm->height) {
|
if (writeoffset + 2 > hnm->width * hnm->height) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
|
hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
|
||||||
hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
|
hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
|
||||||
|
@ -176,7 +176,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
|
||||||
count = bytestream2_get_byte(&gb) * 2;
|
count = bytestream2_get_byte(&gb) * 2;
|
||||||
if (writeoffset + count > hnm->width * hnm->height) {
|
if (writeoffset + count > hnm->width * hnm->height) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
while (count > 0) {
|
while (count > 0) {
|
||||||
hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
|
hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
|
||||||
|
@ -188,7 +188,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
|
||||||
}
|
}
|
||||||
if (writeoffset > hnm->width * hnm->height) {
|
if (writeoffset > hnm->width * hnm->height) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
previous = bytestream2_peek_byte(&gb) & 0x20;
|
previous = bytestream2_peek_byte(&gb) & 0x20;
|
||||||
|
@ -204,24 +204,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
|
||||||
|
|
||||||
if (!backward && offset + 2*count > hnm->width * hnm->height) {
|
if (!backward && offset + 2*count > hnm->width * hnm->height) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
} else if (backward && offset + 1 >= hnm->width * hnm->height) {
|
} else if (backward && offset + 1 >= hnm->width * hnm->height) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
} else if (writeoffset + 2*count > hnm->width * hnm->height) {
|
} else if (writeoffset + 2*count > hnm->width * hnm->height) {
|
||||||
av_log(avctx, AV_LOG_ERROR,
|
av_log(avctx, AV_LOG_ERROR,
|
||||||
"Attempting to write out of bounds\n");
|
"Attempting to write out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
}
|
}
|
||||||
if(backward) {
|
if(backward) {
|
||||||
if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
|
if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (offset < (!!backline)*(2 * hnm->width - 1)) {
|
if (offset < (!!backline)*(2 * hnm->width - 1)) {
|
||||||
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
|
||||||
break;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -268,6 +269,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
|
static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
|
||||||
|
@ -435,7 +437,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
|
||||||
decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
|
decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
|
||||||
memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
|
memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
|
||||||
} else {
|
} else {
|
||||||
decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
|
int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
|
||||||
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
postprocess_current_frame(avctx);
|
postprocess_current_frame(avctx);
|
||||||
}
|
}
|
||||||
copy_processed_frame(avctx, frame);
|
copy_processed_frame(avctx, frame);
|
||||||
|
|
Loading…
Reference in New Issue