PR #23294 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23294 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23294.patch
Fixes: 493841393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MWSC_fuzzer-5079884677578752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From a6276374cfbb1f46586fda1fbeffa401e9f0505d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 31 May 2026 04:31:05 +0200 Subject: [PATCH] avcodec/mwsc: do not dereference a missing reference frame Fixes: 493841393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MWSC_fuzzer-5079884677578752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/mwsc.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index 0d4ee9791a..8976376d4f 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -65,6 +65,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext } else if (run == 255) { int pos = bytestream2_tell_p(pb); + if (!gbp) + return AVERROR_INVALIDDATA; + bytestream2_seek(gbp, pos, SEEK_SET); if (pos + width - w < fill) @@ -128,11 +131,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return ret; bytestream2_init(&gb, s->decomp_buf, zstream->total_out); - bytestream2_init(&gbp, s->prev_frame->data[0], avctx->height * s->prev_frame->linesize[0]); + if (s->prev_frame->data[0]) + bytestream2_init(&gbp, s->prev_frame->data[0], avctx->height * s->prev_frame->linesize[0]); bytestream2_init_writer(&pb, frame->data[0], avctx->height * frame->linesize[0]); - if (rle_uncompress(&gb, &pb, &gbp, avctx->width, avctx->height, avctx->width * 3, - frame->linesize[0], s->prev_frame->linesize[0])) + ret = rle_uncompress(&gb, &pb, s->prev_frame->data[0] ? &gbp : NULL, + avctx->width, avctx->height, avctx->width * 3, + frame->linesize[0], s->prev_frame->linesize[0]); + if (ret < 0) + return ret; + if (ret) frame->flags |= AV_FRAME_FLAG_KEY; else frame->flags &= ~AV_FRAME_FLAG_KEY; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
