From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 7028240D08 for ; Fri, 12 Dec 2025 19:02:10 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'Dr2UEmpmdrDO8UAMpWIoiglEfAUDoGI66AklZzNPzoU=', expected b'yGscu1v1P2FeeA6smS6cFhdy+Ifwu1nc6tNyybPRU30=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1765566121; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=Dr2UEmpmdrDO8UAMpWIoiglEfAUDoGI66AklZzNPzoU=; b=wHOOdOvdS82spL+TlVDGhbIRWeHojI8tHYOmUgKGJeKTuu0GHSxEaSXRR79xiveCfVZ/a j8TUBI4qziSNACDYgjwShFAYTlxF9NB8mYBRgfQ9I/5lhdC2Fnh8O4GJzAC5KfozupRyMiH KLXG88pLj+Wq96ZsP9DUqUaw6rV2sxL/814bAwuDN8pxuO/RBW1ZNKrebsjh/88iau2Pw/a 2cR/zx4pYHVBBUo7uSEmRUMzxmX8jHvPuvifJKeiqlUigioLFR8LspeTdiXPwvbi2sg6t6o uuczMZTnszIuYefORldlBf+yK+fbCU6hm/K0p3AxQ8vd5eG+qXA1XrYbEt+w== Received: from [172.19.0.3] (unknown [172.19.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id D2DC2690859; Fri, 12 Dec 2025 21:02:01 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1765566103; b=gFhkxx3SOVTJGjXs5yHlPI6b8MR4JfklXK1jaS8AcdYdJZs5H5zIkwMhfEsw+u0mnhund G5nl15vVHlK5Yj7zxsupcCxUq1EzYd8wlr/qjXxuECn3L6Z7ZKyXJ4NLkfum7mg7troa7Km gY3dJnXBQgLdiZWWUX02M2BtQcNniidlV9ccyJ97NhzR4HPCG+2O0aqOzYiqT06INZl9qqk 2F6OTCA1BctiLkQsyF7Dx9FI1GFab6zkXhrRlUkK8MA2eTI/dS/McHjzz8KM9/qlgNLGszi cI3ARgPXAJdV11MaAU2ESLV1ekBVLj1rrZLv2VorIO/vxy1QWKAjweUTflzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1765566103; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=VTzE1dx3CZ1uzGNKIc1B7OldqX8qJnKPcutVXa5uTdc=; b=GvCYG27m1LJrFL+QopjSgOmseGP2Va5cP1/qiDh9ry0Buutk/5XbUz5zsD+OAzDfAR8jc Cm7tCStWhLimg1Rm663eyTgUrS2PmRs0NL6KWJKGR6R8IS6FkTbPYU2xfIKz357HUcRsPvd Owy9lr+NIwQ/WUy9szkm3mo+iwdu/2Y5pUoWrd6gaqZcucv2i3v6A2b8UDw2dUCcGZ/KNOQ WaNchKCGbljAv43ZYyn/IQIhlTN8PM6NdmeZndk+8SlAIm2gTb7JruQFEcz1L9Y6mv19z2p 81edEkdqo/C+dCEz0h8cNMHBtvrw6nMtlR/8Dki4BwEWG6Ww/dBe4fXjXIiw== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1765566095; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=yGscu1v1P2FeeA6smS6cFhdy+Ifwu1nc6tNyybPRU30=; b=tPtfmMBJdUpvB5ixQ4K0wM0eYDrZREXwGJHDvSkaxqGXMYTSav7hZpcL3PIcJ12L0zPY/ dTryd/LKPnTyrsXn2iIaFB/INm5wAz3ciQkI2t2ALdoDSZkd/Z9ydtr/OK1aZQFBQ1oEKvD b/5bvTXrUonqPlVgPQ6ltYvKOQpx9Pw38YOlQUVb4VLzmdWYRCiu2LIWpZZEgDPZ99TPfWU 3XtOoPVgbz6sOWvg/vJDp20zjSkNqt2KsjqlJuyy6aWZj+TupNdPaTpnUWcDzUNBwLC/i8X R/61zFOPdL5Iw7pn7G5FniMtglbeGFL/q/JvJ+qtOuA9pnmYOxQvnjTXl56A== Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 6864669076D for ; Fri, 12 Dec 2025 21:01:35 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Fri, 12 Dec 2025 19:01:33 -0000 Message-ID: <176556609564.39.4040321185115875953@2cb04c0e5124> Message-ID-Hash: D2ZTDPV2XUBZMXTTGHMEOXBTNWW4PLUH X-Message-ID-Hash: D2ZTDPV2XUBZMXTTGHMEOXBTNWW4PLUH X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/vulkan: fix DPX unpack offset (PR #21181) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: ruikai via ffmpeg-devel Cc: ruikai Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21181 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21181 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21181.patch The DPX Vulkan unpack shader computes a word offset as uint off = (line_off + pix_off >> 5); Due to GLSL operator precedence this is evaluated as line_off + (pix_off >> 5) rather than (line_off + pix_off) >> 5. Since line_off is in bits while off is a 32-bit word index, scanlines beyond y=0 use an inflated offset and the shader reads past the end of the DPX slice buffer. Parenthesize the expression so that the sum is shifted as intended: uint off = (line_off + pix_off) >> 5; This corrects the unpacked data and removes the CRC mismatch observed between the software and Vulkan DPX decoders for mispacked 12-bit DPX samples. The GPU OOB read itself is only observable indirectly via this corruption since it occurs inside the shader. Repro on x86_64 with Vulkan/llvmpipe (531ce713a0e8): ./configure --cc=clang --disable-optimizations --disable-stripping \ --enable-debug=3 --disable-doc --disable-ffplay \ --enable-vulkan --enable-libshaderc \ --enable-hwaccel=dpx_vulkan \ --extra-cflags='-fsanitize=address -fno-omit-frame-pointer' \ --extra-ldflags='-fsanitize=address' && make VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/lvp_icd.json PoC: packed 12-bit DPX with the packing flag cleared so the unpack shader runs (4x64 gbrp12le), e.g. poc12_packed0.dpx. Software decode: ./ffmpeg -v error -i poc12_packed0.dpx -f framecrc - -> 0, ..., 1536, 0x26cf81c2 Vulkan hwaccel decode: VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/lvp_icd.json \ ./ffmpeg -v error -init_hw_device vulkan \ -hwaccel vulkan -hwaccel_output_format vulkan \ -i poc12_packed0.dpx \ -vf hwdownload,format=gbrp12le -f framecrc - -> 0, ..., 1536, 0x71e10a51 The only difference between the two runs is the Vulkan unpack shader, and the stable CRC mismatch indicates that it is reading past the intended DPX slice region. Regression since: 531ce713a0e8 Found-by: Pwno >>From 6bb19e6c869512f0355a71aeb032d090b9f29061 Mon Sep 17 00:00:00 2001 From: Ruikai Peng Date: Fri, 12 Dec 2025 13:51:12 -0500 Subject: [PATCH] avcodec/vulkan: fix DPX unpack offset The DPX Vulkan unpack shader computes a word offset as uint off = (line_off + pix_off >> 5); Due to GLSL operator precedence this is evaluated as line_off + (pix_off >> 5) rather than (line_off + pix_off) >> 5. Since line_off is in bits while off is a 32-bit word index, scanlines beyond y=0 use an inflated offset and the shader reads past the end of the DPX slice buffer. Parenthesize the expression so that the sum is shifted as intended: uint off = (line_off + pix_off) >> 5; This corrects the unpacked data and removes the CRC mismatch observed between the software and Vulkan DPX decoders for mispacked 12-bit DPX samples. The GPU OOB read itself is only observable indirectly via this corruption since it occurs inside the shader. Repro on x86_64 with Vulkan/llvmpipe (531ce713a0e8): ./configure --cc=clang --disable-optimizations --disable-stripping \ --enable-debug=3 --disable-doc --disable-ffplay \ --enable-vulkan --enable-libshaderc \ --enable-hwaccel=dpx_vulkan \ --extra-cflags='-fsanitize=address -fno-omit-frame-pointer' \ --extra-ldflags='-fsanitize=address' && make VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/lvp_icd.json PoC: packed 12-bit DPX with the packing flag cleared so the unpack shader runs (4x64 gbrp12le), e.g. poc12_packed0.dpx. Software decode: ./ffmpeg -v error -i poc12_packed0.dpx -f framecrc - -> 0, ..., 1536, 0x26cf81c2 Vulkan hwaccel decode: VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/lvp_icd.json \ ./ffmpeg -v error -init_hw_device vulkan \ -hwaccel vulkan -hwaccel_output_format vulkan \ -i poc12_packed0.dpx \ -vf hwdownload,format=gbrp12le -f framecrc - -> 0, ..., 1536, 0x71e10a51 The only difference between the two runs is the Vulkan unpack shader, and the stable CRC mismatch indicates that it is reading past the intended DPX slice region. Regression since: 531ce713a0e8 Found-by: Pwno --- libavcodec/vulkan/dpx_unpack.comp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vulkan/dpx_unpack.comp b/libavcodec/vulkan/dpx_unpack.comp index b04ce5ddc6..b5ca2cf509 100644 --- a/libavcodec/vulkan/dpx_unpack.comp +++ b/libavcodec/vulkan/dpx_unpack.comp @@ -51,7 +51,7 @@ i16vec4 parse_packed_in_32(ivec2 pos, int stride) uint line_off = pos.y*line_size; uint pix_off = pos.x*BITS_PER_COMP*COMPONENTS; - uint off = (line_off + pix_off >> 5); + uint off = (line_off + pix_off) >> 5; uint bit = pix_off & 0x1f; uint32_t d0 = read_data(off + 0); -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org