Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: michaelni <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] avfilter/x86/vf_noise: Use unaligned access (PR #21163)
Date: Thu, 11 Dec 2025 02:00:43 -0000
Message-ID: <176541844387.39.12132192919219372476@2cb04c0e5124> (raw)

PR #21163 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21163
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21163.patch

Regression since: 3ba570de8b666f5ae274b99d33cf4d4628cc385b (port from MMX to SSE2).

The SSE2 inline asm in libavfilter/x86/vf_noise.c (line_noise_sse2 and
line_noise_avg_sse2) uses aligned loads/stores (movdqa, movntdq) but never
checks pointer alignment. When the filter reuses an input frame (common
path when av_frame_is_writable() is true), it may receive misaligned data
from upstream filters that adjust frame->data[i] in place, notably vf_crop:

- vf_crop adjusts plane pointers by arbitrary byte offsets
(frame->data[plane] += ...), so an x offset of 1 on 8-bit formats produces
a 1‑byte misalignment.
- The noise filter then calls the SSE2 path directly on those pointers
without realigning or falling back.

Repro on x86_64/SSE2 (current HEAD at that commit):

./ffmpeg -v error -f lavfi -i testsrc=s=320x240:rate=1 \
-vf "format=yuv420p,crop=w=319:x=1:h=240:exact=1,noise=alls=50" \
-frames:v 1 -f null -

This crashes with SIGSEGV at the aligned load in line_noise_sse2 (movdqa
(%r9,%rax),%xmm0; effective address misaligned by 1 byte).

Impact: denial of service via crafted filtergraphs (e.g., crop + noise).
Applies to planar 8-bit formats where upstream filters can shift data
pointers without reallocating.

Found-by: Pwno OSS Team


From f9244505a596c74269238ab938daf7a7b6c6ee1f Mon Sep 17 00:00:00 2001
From: Ruikai Peng <ruikai@pwno.io>
Date: Thu, 11 Dec 2025 02:53:02 +0100
Subject: [PATCH] avfilter/x86/vf_noise: Use unaligned access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Regression since: 3ba570de8b666f5ae274b99d33cf4d4628cc385b (port from MMX to SSE2).

The SSE2 inline asm in libavfilter/x86/vf_noise.c (line_noise_sse2 and
line_noise_avg_sse2) uses aligned loads/stores (movdqa, movntdq) but never
checks pointer alignment. When the filter reuses an input frame (common
path when av_frame_is_writable() is true), it may receive misaligned data
from upstream filters that adjust frame->data[i] in place, notably vf_crop:

- vf_crop adjusts plane pointers by arbitrary byte offsets
(frame->data[plane] += ...), so an x offset of 1 on 8-bit formats produces
a 1‑byte misalignment.
- The noise filter then calls the SSE2 path directly on those pointers
without realigning or falling back.

Repro on x86_64/SSE2 (current HEAD at that commit):

./ffmpeg -v error -f lavfi -i testsrc=s=320x240:rate=1 \
-vf "format=yuv420p,crop=w=319:x=1:h=240:exact=1,noise=alls=50" \
-frames:v 1 -f null -

This crashes with SIGSEGV at the aligned load in line_noise_sse2 (movdqa
(%r9,%rax),%xmm0; effective address misaligned by 1 byte).

Impact: denial of service via crafted filtergraphs (e.g., crop + noise).
Applies to planar 8-bit formats where upstream filters can shift data
pointers without reallocating.

Found-by: Pwno OSS Team
---
 libavfilter/x86/vf_noise.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavfilter/x86/vf_noise.c b/libavfilter/x86/vf_noise.c
index 95f97b3b06..3edcbd64e5 100644
--- a/libavfilter/x86/vf_noise.c
+++ b/libavfilter/x86/vf_noise.c
@@ -39,7 +39,7 @@ static void line_noise_avg_sse2(uint8_t *dst, const uint8_t *src,
             "movdqu (%1, %%"FF_REG_a"), %%xmm1             \n\t"
             "movdqu (%2, %%"FF_REG_a"), %%xmm2             \n\t"
             "movdqu (%3, %%"FF_REG_a"), %%xmm3             \n\t"
-            "movdqa (%0, %%"FF_REG_a"), %%xmm0             \n\t"
+            "movdqu (%0, %%"FF_REG_a"), %%xmm0             \n\t"
             "paddb              %%xmm2, %%xmm1             \n\t"
             "paddb              %%xmm3, %%xmm1             \n\t"
             "movdqa             %%xmm4, %%xmm5             \n\t"
@@ -59,7 +59,7 @@ static void line_noise_avg_sse2(uint8_t *dst, const uint8_t *src,
             "psraw                  $7, %%xmm3             \n\t"
             "packsswb           %%xmm3, %%xmm1             \n\t"
             "paddb              %%xmm6, %%xmm1             \n\t"
-            "movdqa             %%xmm1, (%4, %%"FF_REG_a") \n\t"
+            "movdqu             %%xmm1, (%4, %%"FF_REG_a") \n\t"
             "add                   $16, %%"FF_REG_a"       \n\t"
             " js 1b                         \n\t"
             :: "r" (src+xmm_len), "r" (shift[0]+xmm_len), "r" (shift[1]+xmm_len), "r" (shift[2]+xmm_len),
@@ -88,12 +88,12 @@ static void line_noise_sse2(uint8_t *dst, const uint8_t *src,
             "packsswb           %%xmm2, %%xmm2             \n\t"
             ".p2align 4                                    \n\t"
             "1:                                            \n\t"
-            "movdqa (%0, %%"FF_REG_a"), %%xmm0             \n\t"
+            "movdqu (%0, %%"FF_REG_a"), %%xmm0             \n\t"
             "movdqu (%1, %%"FF_REG_a"), %%xmm1             \n\t"
             "pxor               %%xmm2, %%xmm0             \n\t"
             "paddsb             %%xmm1, %%xmm0             \n\t"
             "pxor               %%xmm2, %%xmm0             \n\t"
-            "movntdq            %%xmm0, (%2, %%"FF_REG_a") \n\t"
+            "movdqu             %%xmm0, (%2, %%"FF_REG_a") \n\t"
             "add                   $16, %%"FF_REG_a"       \n\t"
             " js                    1b                     \n\t"
             :: "r" (src+xmm_len), "r" (noise+xmm_len), "r" (dst+xmm_len), "g" (-xmm_len)
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

                 reply	other threads:[~2025-12-11  2:01 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=176541844387.39.12132192919219372476@2cb04c0e5124 \
    --to=ffmpeg-devel@ffmpeg.org \
    --cc=code@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git