Browse Source
avcodec/cavsdec: Check remaining bitstream in the main loop in decode_pic()
Fixes: Timeout (149sec ->1sec) Fixes: 17311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5679368642232320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>tags/n4.3
Michael Niedermayer
6 years ago
2 changed files with 13 additions and 3 deletions
Unified View
Diff Options
-
+12 -2libavcodec/cavsdec.c
-
+1 -1tests/ref/fate/cavs
+ 12
- 2
libavcodec/cavsdec.c
View File
| @@ -1101,11 +1101,16 @@ static int decode_pic(AVSContext *h) | |||||
| do { | do { | ||||
| if (check_for_slice(h)) | if (check_for_slice(h)) | ||||
| skip_count = -1; | skip_count = -1; | ||||
| if (h->skip_mode_flag && (skip_count < 0)) | |||||
| if (h->skip_mode_flag && (skip_count < 0)) { | |||||
| if (get_bits_left(&h->gb) < 1) | |||||
| break; | |||||
| skip_count = get_ue_golomb(&h->gb); | skip_count = get_ue_golomb(&h->gb); | ||||
| } | |||||
| if (h->skip_mode_flag && skip_count--) { | if (h->skip_mode_flag && skip_count--) { | ||||
| decode_mb_p(h, P_SKIP); | decode_mb_p(h, P_SKIP); | ||||
| } else { | } else { | ||||
| if (get_bits_left(&h->gb) < 1) | |||||
| break; | |||||
| mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag; | mb_type = get_ue_golomb(&h->gb) + P_SKIP + h->skip_mode_flag; | ||||
| if (mb_type > P_8X8) | if (mb_type > P_8X8) | ||||
| ret = decode_mb_i(h, mb_type - P_8X8 - 1); | ret = decode_mb_i(h, mb_type - P_8X8 - 1); | ||||
| @@ -1119,11 +1124,16 @@ static int decode_pic(AVSContext *h) | |||||
| do { | do { | ||||
| if (check_for_slice(h)) | if (check_for_slice(h)) | ||||
| skip_count = -1; | skip_count = -1; | ||||
| if (h->skip_mode_flag && (skip_count < 0)) | |||||
| if (h->skip_mode_flag && (skip_count < 0)) { | |||||
| if (get_bits_left(&h->gb) < 1) | |||||
| break; | |||||
| skip_count = get_ue_golomb(&h->gb); | skip_count = get_ue_golomb(&h->gb); | ||||
| } | |||||
| if (h->skip_mode_flag && skip_count--) { | if (h->skip_mode_flag && skip_count--) { | ||||
| ret = decode_mb_b(h, B_SKIP); | ret = decode_mb_b(h, B_SKIP); | ||||
| } else { | } else { | ||||
| if (get_bits_left(&h->gb) < 1) | |||||
| break; | |||||
| mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag; | mb_type = get_ue_golomb(&h->gb) + B_SKIP + h->skip_mode_flag; | ||||
| if (mb_type > B_8X8) | if (mb_type > B_8X8) | ||||
| ret = decode_mb_i(h, mb_type - B_8X8 - 1); | ret = decode_mb_i(h, mb_type - B_8X8 - 1); | ||||
+ 1
- 1
tests/ref/fate/cavs
View File
| @@ -172,4 +172,4 @@ | |||||
| 0, 166, 166, 1, 622080, 0x05496a5d | 0, 166, 166, 1, 622080, 0x05496a5d | ||||
| 0, 167, 167, 1, 622080, 0xdcb4cee8 | 0, 167, 167, 1, 622080, 0xdcb4cee8 | ||||
| 0, 168, 168, 1, 622080, 0xb41172e5 | 0, 168, 168, 1, 622080, 0xb41172e5 | ||||
| 0, 169, 169, 1, 622080, 0x56c72478 | |||||
| 0, 169, 169, 1, 622080, 0x26146e0b | |||||