From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 20DBA47A64
	for <ffmpegdev@gitmailbox.com>; Thu, 27 Jun 2024 23:50:18 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5584968D628;
	Fri, 28 Jun 2024 02:50:14 +0300 (EEST)
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net
 [217.70.183.199])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id AACAE68D305
 for <ffmpeg-devel@ffmpeg.org>; Fri, 28 Jun 2024 02:50:08 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id CB4F9FF803
 for <ffmpeg-devel@ffmpeg.org>; Thu, 27 Jun 2024 23:50:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1719532208;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=G9OmknuGbQUvrvX5meVTKSAnz1FrWLuSz1D+8UBzqmI=;
 b=R+89PHBLuatoqL3vFMvFNzmxt69uJP1hn0tphNtrDgvGDpESMBuU7Q7ZxzigVsuGo0ZlhM
 3jO8ICxY2Xol2rVot22eAhP/Kzg2Bfsu429pOpVKW31jfy+U3dnPSfF/8tf7hZ39gSGsFD
 JN+QI5mZkEZ+TbLzgH2dIjxv7vnm9QAoCFj+RVweZGNsbYKbOERmLPzXekF07M2yfOA+u3
 lg3VU50gtR4XA4iJdGNVm6bq5PiPWdIo3kUnvuqcTtEaaiK1Xofy4Eo7LIfqkIWkHocpgo
 O/ha07Ar8oddHEnpedRYynl+wzIeASRu/kGr/QYhadz507ZG+FJ3rUoUfsvysg==
Date: Fri, 28 Jun 2024 01:50:06 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: ffmpeg-devel@ffmpeg.org
Message-ID: <20240627235006.GF1904408@pb2>
References: <20240620170109.348254126EA@natalya.videolan.org>
MIME-Version: 1.0
In-Reply-To: <20240620170109.348254126EA@natalya.videolan.org>
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] avcodec/mpeg_er: Don't set
 block_index unnecessarily
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============1445953825001110553=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240627235006.GF1904408@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============1445953825001110553==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="RMedoP2+Pr6Rq0N2"
Content-Disposition: inline


--RMedoP2+Pr6Rq0N2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 20, 2024 at 05:01:08PM +0000, Andreas Rheinhardt wrote:
> ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt@outlook.=
com> | Wed Jun 12 08:37:53 2024 +0200| [65d5ccb808ec93de46a2458ea8cc082ce44=
60f34] | committer: Andreas Rheinhardt
>=20
> avcodec/mpeg_er: Don't set block_index unnecessarily
>=20
> ff_init_block_index() sets MpegEncContext.dest and
> MpegEncContext.block_index. The latter is unused by
> ff_mpv_reconstruct_mb() (which is what this code is
> preparatory for) and dest is overwritten a few lines below.
> So don't initialize block_index at all.
>=20
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
>=20
> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=3Dcommit;h=3D65d5ccb80=
8ec93de46a2458ea8cc082ce4460f34
> ---
>=20
>  libavcodec/mpeg_er.c | 4 ----
>  1 file changed, 4 deletions(-)
>=20
> diff --git a/libavcodec/mpeg_er.c b/libavcodec/mpeg_er.c
> index e7b3197bb1..fe7dcd7efb 100644
> --- a/libavcodec/mpeg_er.c
> +++ b/libavcodec/mpeg_er.c
> @@ -76,10 +76,6 @@ static void mpeg_er_decode_mb(void *opaque, int ref, i=
nt mv_dir, int mv_type,
>      s->mcsel      =3D 0;
>      memcpy(s->mv, mv, sizeof(*mv));
> =20
> -    ff_init_block_index(s);
> -    ff_update_block_index(s, s->avctx->bits_per_raw_sample,
> -                          s->avctx->lowres, s->chroma_x_shift);
> -
>      s->bdsp.clear_blocks(s->block[0]);
>      if (!s->chroma_y_shift)
>          s->bdsp.clear_blocks(s->block[6]);

It seems not unnneccesary

Running: 69814/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer=
-4868081575329792
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D2146502=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on address=
 0x625000009c80 at pc 0x00000049b63f bp 0x7ffdecbf28c0 sp 0x7ffdecbf2088
WRITE of size 64 at 0x625000009c80 thread T0
    #0 0x49b63e in __asan_memset /b/swarming/w/ir/cache/builder/src/third_p=
arty/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:26:3
    #1 0xe85598 in ff_clean_intra_table_entries ffmpeg/libavcodec/mpegvideo=
=2Ec:809:5
    #2 0xe9b926 in mpv_reconstruct_mb_internal ffmpeg/libavcodec/mpv_recons=
truct_mb_template.c:68:17
    #3 0xe9b926 in ff_mpv_reconstruct_mb ffmpeg/libavcodec/mpegvideo_dec.c:=
935
    #4 0xb1f790 in guess_mv ffmpeg/libavcodec/error_resilience.c:456:17
    #5 0xb0f9b5 in ff_er_frame_end ffmpeg/libavcodec/error_resilience.c:122=
4:9
    #6 0x63e595 in vc1_decode_frame ffmpeg/libavcodec/vc1dec.c:1341:13
    #7 0x4fe53f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20
    #8 0x4fe53f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:6=
00
    #9 0x4fe53f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c=
:631
    #10 0x4fcf6d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15
    #11 0x4d1da7 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c=
:533:25
    #12 0x166259d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, =
unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #13 0x1657172 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsig=
ned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #14 0x165c371 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c=
har const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #15 0x1656e50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #16 0x7fd643b76082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.=
6+0x24082)
    #17 0x423f6d in _start (ffmpeg/tools/target_dec_vc1_fuzzer+0x423f6d)

Address 0x625000009c80 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /b/swarming/w/ir/cache/buil=
der/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsi=
cs.cc:26:3 in __asan_memset
Shadow bytes around the buggy address:
  0x0c4a7fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=3D>0x0c4a7fff9390:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
=3D=3D2146502=3D=3DABORTING


[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Avoid a single point of failure, be that a person or equipment.

--RMedoP2+Pr6Rq0N2
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZn36qwAKCRBhHseHBAsP
q6IRAJ4t1CfwNYO6Z3AqB1Cai7wTeXl+1QCghMErdtU6k/PjSg5ApkJpE+cHKyQ=
=RHXp
-----END PGP SIGNATURE-----

--RMedoP2+Pr6Rq0N2--

--===============1445953825001110553==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============1445953825001110553==--