[Security] Null pointer dereference on libswscale/slice.c

[flyfish101]

Summary of the bug:

fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz$ ./target_sws_fuzzer1051 /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
Reading 181 bytes from /home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/out_sws_1051/default/crashes/id:000128,sig:11,src:000545+000155_time:144463_execs:66025_op:splice_rep:8
1 x 10216 yuva420p10le -> 127 x 1 nv16
libswscale/slice.c:233:25: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/slice.c:233:25 in 
libswscale/slice.c:233:25: runtime error: load of null pointer of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/slice.c:233:25 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2824107==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555556091215 bp 0x7fffffffc890 sp 0x7fffffffc7a0 T0)
==2824107==The signal is caused by a READ memory access.
==2824107==Hint: address points to the zero page.
    #0 0x555556091215 in get_min_buffer_size /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25
    #1 0x5555560878ca in ff_init_filters /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:265:5
    #2 0x5555557b93f9 in ff_sws_init_single_context /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/utils.c:1452:20
    #3 0x5555559689db in LLVMFuzzerTestOneInput /home/fuzz/Desktop/projects_oss/FFmpeg/tools/./target_sws_fuzzer1051.c:178:11
    #4 0x55555595f37d in ExecuteFilesOnyByOne /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #5 0x55555595f188 in LLVMFuzzerRunDriver /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #6 0x55555595ed48 in main /home/fuzz/Desktop/DDGF_Project/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #7 0x7ffff7c3b082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x555555869fdd in _start (/home/fuzz/Desktop/projects_oss/FFmpeg/tools/fuzzout/sws_fuzz/target_sws_fuzzer1051+0x315fdd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzz/Desktop/projects_oss/FFmpeg/libswscale/slice.c:233:25 in get_min_buffer_size
==2824107==ABORTING

[flyfish101]

poc file

[Mia Herkt]

I may have just hit this code path on accident.

To reproduce:

ffplay -f lavfi -i nullsrc=s=400x400 -vf "scale=5:5:flags=lanczos:gamma=1

Command line:
./ffplay_g -f lavfi -i "nullsrc=s=400x400" -vf "scale=5:5:flags=lanczos:gamma=1" -report
ffplay version N-124278-gcc3ca17127 Copyright (c) 2003-2026 the FFmpeg developers
  built with gcc 15 (SUSE Linux)
  configuration: --prefix=/usr --libdir=/usr/lib64 --shlibdir=/usr/lib64 --incdir=/usr/include/ffmpeg --extra-cflags='-O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -g' --optflags='-O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -g' --disable-htmlpages --enable-pic --disable-stripping --disable-shared --enable-static --enable-gpl --enable-version3 --enable-nonfree
  libavutil      60. 30.100 / 60. 30.100
  libavcodec     62. 30.100 / 62. 30.100
  libavformat    62. 13.102 / 62. 13.102
  libavdevice    62.  4.100 / 62.  4.100
  libavfilter    11. 17.100 / 11. 17.100
  libswscale      9.  7.100 /  9.  7.100
  libswresample   6.  4.100 /  6.  4.100
Initialized opengl renderer.
    nan    :  0.000 fd=   0 aq=    0KB vq=    0KB sq=    0B 
[AVFilterGraph @ 0x7f1398001300] Setting 's' to value '400x400'
detected 4 logical cores
[Parsed_nullsrc_0 @ 0x7f1398001f40] size:400x400 rate:25/1 duration:-1.000000 sar:1/1
[AVFilterGraph @ 0x7f1398001300] query_formats: 2 queried, 4 merged, 0 already done, 0 delayed
[lavfi @ 0x7f1398000d00] All info found
Input #0, lavfi, from 'nullsrc=s=400x400':
  Duration: N/A, start: 0.000000, bitrate: N/A
  Stream #0:0, 1, 1/25: Video: wrapped_avframe, yuv420p, 400x400 [SAR 1:1 DAR 1:1], 25 fps, 25 tbr, 25 tbn
Video frame changed from size:0x0 format:none serial:-1 to size:400x400 format:yuv420p serial:1
[ffplay_buffer @ 0x7f1390001ac0] w:400 h:400 pixfmt:yuv420p tb:1/25 fr:25/1 sar:1/1 csp:unknown range:unknown alpha:unspecified
[AVFilterGraph @ 0x7f1390001080] Setting 'w' to value '5'
[AVFilterGraph @ 0x7f1390001080] Setting 'h' to value '5'
[AVFilterGraph @ 0x7f1390001080] Setting 'flags' to value 'lanczos'
[AVFilterGraph @ 0x7f1390001080] Setting 'gamma' to value '1'
[Parsed_scale_0 @ 0x7f13900022c0] w:5 h:5 flags:'lanczos' interl:0
[AVFilterGraph @ 0x7f1390001080] query_formats: 3 queried, 8 merged, 0 already done, 0 delayed
[Parsed_scale_0 @ 0x7f13900022c0] w:400 h:400 fmt:yuv420p csp:unknown range:unknown sar:1/1 -> w:5 h:5 fmt:yuv420p csp:bt709 range:unknown sar:1/1 flags:0x00000200
[Parsed_scale_0 @ 0x7f13900022c0] [framesync @ 0x7f13900023d0] Selected 1/25 time base
[Parsed_scale_0 @ 0x7f13900022c0] [framesync @ 0x7f13900023d0] Sync level 1
[ffplay_buffer @ 0x7f1390001ac0] video frame properties congruent with link at pts_time: 0
[swscaler @ 0x7f1390020100] No accelerated colorspace conversion found from yuv420p to rgba64le.
[swscaler @ 0x7f1390051f80] Forcing full internal H chroma due to odd output size
[swscaler @ 0x7f1390051f80] Forcing full internal H chroma due to input having non subsampled chroma
sws: initFilter failed