avcodec/cbs_apv: store derived tile information in a per frame basis

If a single fragment contains more than one frame unit, the tile information stored in the private context will only correspond to one of them. Fixes: crash (out of array access) Fixes: 435489659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-6194885205229568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer <jamrial@gmail.com>
2025-12-08 06:09:50 +00:00 · 2025-08-10 13:44:31 -03:00 · 2025-08-10 13:44:31 -03:00 · 4b39d776c3
commit 4b39d776c3
parent 0469d68acb
4 changed files with 55 additions and 39 deletions
--- a/libavcodec/cbs_apv_syntax_template.c
+++ b/libavcodec/cbs_apv_syntax_template.c
@ -128,10 +128,10 @@ static int FUNC(tile_info)(CodedBitstreamContext *ctx, RWContext *rw,

    ub(1, tile_size_present_in_fh_flag);

-    cbs_apv_derive_tile_info(&priv->tile_info, fh);
+    cbs_apv_derive_tile_info(ctx, fh);

    if (current->tile_size_present_in_fh_flag) {
-        for (int t = 0; t < priv->tile_info.num_tiles; t++) {
+        for (int t = 0; t < priv->num_tiles; t++) {
            us(32, tile_size_in_fh[t], 10, MAX_UINT_BITS(32), 1, t);
        }
    }
@ -262,7 +262,7 @@ static int FUNC(frame)(CodedBitstreamContext *ctx, RWContext *rw,

    CHECK(FUNC(frame_header)(ctx, rw, &current->frame_header));

-    for (int t = 0; t < priv->tile_info.num_tiles; t++) {
+    for (int t = 0; t < priv->num_tiles; t++) {
        us(32, tile_size[t], 10, MAX_UINT_BITS(32), 1, t);

        CHECK(FUNC(tile)(ctx, rw, &current->tile[t],