Google Git
Sign in
aomedia / aom / fa61072a3b8582362956a4faa6339b19af43fb38^! / .
commitfa61072a3b8582362956a4faa6339b19af43fb38[log] [tgz]
authorWan-Teh Chang <wtc@google.com>Mon Sep 17 17:21:59 2018 -0700
committerWan-Teh Chang <wtc@google.com>Fri Mar 29 01:39:29 2024 +0000
treee0ad1cd0ea2c80b9ca52a4acba42b9ffa1dc638f
parent52a2fce2bba2b9d06aa5158630fc99fe2b932062 [diff]
Call decoder_decode() even on invalid input data.

The first thing decoder_decode() does is to release the output frames
from the previous decoder_decode() call. We need that side effect even
when the input data pointer or data size is invalid, so that the
subsequent aom_codec_get_frame() call (which is called by
av1_dec_fuzzer.cc even after a failed aom_codec_decode() call) will not
return an old output frame again.

BUG=oss-fuzz:10151

Change-Id: I4e3f3b3a3d437abc0140074595d83ac285cf8149
(cherry picked from commit e81859e9fb0c842b015f298c3d7be0ae8b15f180)

diff --git a/aom/src/aom_decoder.c b/aom/src/aom_decoder.c
index e0cec10..8c9111f 100644
--- a/aom/src/aom_decoder.c
+++ b/aom/src/aom_decoder.c

@@ -101,9 +101,7 @@
                                  size_t data_sz, void *user_priv) {
   aom_codec_err_t res;
 
-  /* Sanity checks */
-  /* NULL data ptr allowed if data_sz is 0 too */
-  if (!ctx || (!data && data_sz) || (data && !data_sz))
+  if (!ctx)
     res = AOM_CODEC_INVALID_PARAM;
   else if (!ctx->iface || !ctx->priv)
     res = AOM_CODEC_ERROR;

diff --git a/av1/av1_dx_iface.c b/av1/av1_dx_iface.c
index 58e530f..b08531f 100644
--- a/av1/av1_dx_iface.c
+++ b/av1/av1_dx_iface.c

@@ -582,12 +582,11 @@
 static aom_codec_err_t decoder_decode(aom_codec_alg_priv_t *ctx,
                                       const uint8_t *data, size_t data_sz,
                                       void *user_priv) {
-  const uint8_t *data_start = data;
-  const uint8_t *data_end = data + data_sz;
   aom_codec_err_t res = AOM_CODEC_OK;
 
-  // Release any pending output frames from the previous decoder call.
-  // We need to do this even if the decoder is being flushed
+  // Release any pending output frames from the previous decoder_decode call.
+  // We need to do this even if the decoder is being flushed or the input
+  // arguments are invalid.
   if (ctx->frame_workers) {
     BufferPool *const pool = ctx->buffer_pool;
     RefCntBuffer *const frame_bufs = pool->frame_bufs;
@@ -605,10 +604,13 @@
     unlock_buffer_pool(ctx->buffer_pool);
   }
 
+  /* Sanity checks */
+  /* NULL data ptr allowed if data_sz is 0 too */
   if (data == NULL && data_sz == 0) {
     ctx->flushed = 1;
     return AOM_CODEC_OK;
   }
+  if (data == NULL || data_sz == 0) return AOM_CODEC_INVALID_PARAM;
 
   // Reset flushed when receiving a valid frame.
   ctx->flushed = 0;
@@ -619,6 +621,9 @@
     if (res != AOM_CODEC_OK) return res;
   }
 
+  const uint8_t *data_start = data;
+  const uint8_t *data_end = data + data_sz;
+
   if (ctx->is_annexb) {
     // read the size of this temporal unit
     size_t length_of_size;