Hi, On Wed, Mar 8, 2017 at 10:07 PM, Michael Niedermayer <mich...@niedermayer.cc > wrote:
> Fixes: timeout in 758/clusterfuzz-testcase-4720832028868608 > > Found-by: continuous fuzzing process https://github.com/google/oss- > fuzz/tree/master/targets/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/vp56.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c > index 0010408847..bccb424903 100644 > --- a/libavcodec/vp56.c > +++ b/libavcodec/vp56.c > @@ -710,7 +710,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, > void *data, > int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); > if (ret < 0) { > damaged = 1; > - if (!s->have_undamaged_frame) { > + if (s->have_undamaged_frame < s->mb_width * > s->mb_height) { > s->discard_frame = 1; > return AVERROR_INVALIDDATA; > } > @@ -732,7 +732,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, > void *data, > } > > if (!damaged) > - s->have_undamaged_frame = 1; > + s->have_undamaged_frame = s->mb_width * s->mb_height; You know very well that this makes the memory issue go away but isn't doing the right thing if width1!=width2 && height1!=height2 but width1*height1 == width2*height2. This is obviously because vpN codecs up to and including vp8 don't include scalable MC. Can you do this right and only allow this if frame/ref width and height both match, not just their product? Ronald _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel