diff options
author | James Almer <jamrial@gmail.com> | 2020-10-04 10:21:59 -0300 |
---|---|---|
committer | James Almer <jamrial@gmail.com> | 2020-10-04 10:34:15 -0300 |
commit | 05872c67a4cad1f28c41121314d7cf76c1fe3163 (patch) | |
tree | 52435815e532665b657d837813830e1705601e9b /libavcodec/av1dec.c | |
parent | 069d2b4a50a6eb2f925f36884e6b9bd9a1e54670 (diff) |
avcodec/av1dec: partially clean state on frame decoding errors
Fixes: member access within null pointer of type 'TileGroupInfo' (aka 'struct TileGroupInfo')
Fixes: 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
Diffstat (limited to 'libavcodec/av1dec.c')
-rw-r--r-- | libavcodec/av1dec.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 07026b7aeb..1b09dc183a 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -686,6 +686,7 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame, ret = set_context_with_sequence(avctx, s->raw_seq); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Failed to set context.\n"); + s->raw_seq = NULL; goto end; } @@ -694,6 +695,7 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame, if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Failed to get pixel format.\n"); + s->raw_seq = NULL; goto end; } } @@ -703,6 +705,7 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame, unit->data_size); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "HW accel decode params fail.\n"); + s->raw_seq = NULL; goto end; } } @@ -841,6 +844,8 @@ static int av1_decode_frame(AVCodecContext *avctx, void *frame, end: ff_cbs_fragment_reset(&s->current_obu); + if (ret < 0) + s->raw_frame_header = NULL; return ret; } |