x/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-11 08:13:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/mwsc: do not dereference a missing reference frame

Browse Source 
Fixes: 493841393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MWSC_fuzzer-5079884677578752
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-06-05 01:27:39 +00:00
committed by michaelni
parent 65ae944d34
commit ba825ce85f
1 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/mwsc.c
+11 -3
View File
@@ -65,6 +65,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext
} else if (run == 255) {
int pos = bytestream2_tell_p(pb);
if (!gbp)
return AVERROR_INVALIDDATA;
bytestream2_seek(gbp, pos, SEEK_SET);
if (pos + width - w < fill)
@@ -128,11 +131,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
return ret;
bytestream2_init(&gb, s->decomp_buf, zstream->total_out);
bytestream2_init(&gbp, s->prev_frame->data[0], avctx->height * s->prev_frame->linesize[0]);
if (s->prev_frame->data[0])
bytestream2_init(&gbp, s->prev_frame->data[0], avctx->height * s->prev_frame->linesize[0]);
bytestream2_init_writer(&pb, frame->data[0], avctx->height * frame->linesize[0]);
if (rle_uncompress(&gb, &pb, &gbp, avctx->width, avctx->height, avctx->width * 3,
frame->linesize[0], s->prev_frame->linesize[0]))
ret = rle_uncompress(&gb, &pb, s->prev_frame->data[0] ? &gbp : NULL,
avctx->width, avctx->height, avctx->width * 3,
frame->linesize[0], s->prev_frame->linesize[0]);
if (ret < 0)
return ret;
if (ret)
frame->flags |= AV_FRAME_FLAG_KEY;
else
frame->flags &= ~AV_FRAME_FLAG_KEY;