har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/cavsdec: Check remaining bitstream in the main loop in decode_pic()

Browse Source 
Fixes: Timeout (149sec ->1sec)
Fixes: 17311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5679368642232320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2019-09-24 23:33:03 +02:00
parent ea770eb559
commit e7113704b2
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libavcodec/cavsdec.c
View File

@ -1101,11 +1101,16 @@ static int decode_pic(AVSContext *h)
do { do {
if (check_for_slice(h)) if (check_for_slice(h))
skip_count = -1; skip_count = -1;
if (h->skip_mode_flag && (skip_count < 0)) if (h->skip_mode_flag && (skip_count < 0)) {
if (get_bits_left(&h->gb) < 1)
break;
skip_count = get_ue_golomb(&h->gb); skip_count = get_ue_golomb(&h->gb);
}
if (h->skip_mode_flag && skip_count--) { if (h->skip_mode_flag && skip_count--) {
decode_mb_p(h, P_SKIP); decode_mb_p(h, P_SKIP);
} else { } else {
if (get_bits_left(&h->gb) < 1)
break;
mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag; mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag;
if (mb_type > P_8X8) if (mb_type > P_8X8)
ret = decode_mb_i(h, mb_type - P_8X8 - 1); ret = decode_mb_i(h, mb_type - P_8X8 - 1);
@ -1119,11 +1124,16 @@ static int decode_pic(AVSContext *h)
do { do {
if (check_for_slice(h)) if (check_for_slice(h))
skip_count = -1; skip_count = -1;
if (h->skip_mode_flag && (skip_count < 0)) if (h->skip_mode_flag && (skip_count < 0)) {
if (get_bits_left(&h->gb) < 1)
break;
skip_count = get_ue_golomb(&h->gb); skip_count = get_ue_golomb(&h->gb);
}
if (h->skip_mode_flag && skip_count--) { if (h->skip_mode_flag && skip_count--) {
ret = decode_mb_b(h, B_SKIP); ret = decode_mb_b(h, B_SKIP);
} else { } else {
if (get_bits_left(&h->gb) < 1)
break;
mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag; mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag;
if (mb_type > B_8X8) if (mb_type > B_8X8)
ret = decode_mb_i(h, mb_type - B_8X8 - 1); ret = decode_mb_i(h, mb_type - B_8X8 - 1);

2
tests/ref/fate/cavs
View File

@ -172,4 +172,4 @@
0, 166, 166, 1, 622080, 0x05496a5d 0, 166, 166, 1, 622080, 0x05496a5d
0, 167, 167, 1, 622080, 0xdcb4cee8 0, 167, 167, 1, 622080, 0xdcb4cee8
0, 168, 168, 1, 622080, 0xb41172e5 0, 168, 168, 1, 622080, 0xb41172e5
0, 169, 169, 1, 622080, 0x56c72478 0, 169, 169, 1, 622080, 0x26146e0b