From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id B46E94BFC2 for ; Fri, 19 Jul 2024 23:42:19 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6BF0968D865; Sat, 20 Jul 2024 02:42:16 +0300 (EEST) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F06C668D858 for ; Sat, 20 Jul 2024 02:42:08 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 05D344000A for ; Fri, 19 Jul 2024 23:42:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1721432528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7wVnyuSJI1VXK4IBsgIk6QUb3V2jHZkKf53U7dkeQmM=; b=iwZFHh9+ahDe7+u+2WqeuOPiKy5kgR9FLW7f0clYCbnTJ1ab/KLP9qixUrxw+ww3+3ueIc yb1pKtjIxwwgtyeKKUaLlYptKOzyyAcEocR+29V0e1CsXsVBuE3Bq9Fjys/WDvWp6HsFU8 r1lFYA5cEB9XbMVnlSI8+0VqpBS037MYsCX+wIqkot0fGo9r148qlQU6Be2S4gjwDrD8Nv cjAbgOWNfVByuyPwn1RHGHPjxjyie35VFuXgTyiE2kV+Znknwz0Q0tq/TtFAnfWFh8y3dB zzmpg1oRiMyHHIQn/fm0G3QnVmFKmMe7SMuM2I64Uh/g0fENQsWSlZKvS/3UDA== Date: Sat, 20 Jul 2024 01:42:07 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240719234207.GI4991@pb2> References: <20240530023927.1205442-1-dev@lynne.ee> MIME-Version: 1.0 In-Reply-To: <20240530023927.1205442-1-dev@lynne.ee> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============8010765604020912156==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============8010765604020912156== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="R0sYUISimcquDWTD" Content-Disposition: inline --R0sYUISimcquDWTD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 30, 2024 at 04:37:08AM +0200, Lynne via ffmpeg-devel wrote: > This commit adds a decoder for the frequency-domain part of USAC. >=20 > Changes over version 4: > - Actually reset entropy decoding upon configuration. > - Support for LFE channels. >=20 > Lynne (10): > channel_layout: add new channel positions supported by xHE-AAC > aacdec: move from scalefactor ranged arrays to flat arrays > aacdec: expose channel layout related functions > aacdec: expose decode_tns > aacdec_dsp: implement 768-point transform and windowing > aactab: add deemphasis tables for USAC > aactab: add tables for the new USAC arithmetic coder > aactab: add new scalefactor offset tables for 96/768pt windows > aacdec: add a decoder for AAC USAC (xHE-AAC) > fate: add tests for xHE-AAC >=20 > libavcodec/aac/Makefile | 3 +- > libavcodec/aac/aacdec.c | 371 +++--- > libavcodec/aac/aacdec.h | 219 +++- > libavcodec/aac/aacdec_ac.c | 208 ++++ > libavcodec/aac/aacdec_ac.h | 54 + > libavcodec/aac/aacdec_dsp_template.c | 162 ++- > libavcodec/aac/aacdec_fixed.c | 2 + > libavcodec/aac/aacdec_float.c | 4 + > libavcodec/aac/aacdec_latm.h | 14 +- > libavcodec/aac/aacdec_lpd.c | 198 ++++ > libavcodec/aac/aacdec_lpd.h | 33 + > libavcodec/aac/aacdec_usac.c | 1608 ++++++++++++++++++++++++++ > libavcodec/aac/aacdec_usac.h | 37 + > libavcodec/aactab.c | 560 +++++++++ > libavcodec/aactab.h | 22 + > libavcodec/sinewin_fixed_tablegen.c | 2 + > libavcodec/sinewin_fixed_tablegen.h | 4 + > libavutil/channel_layout.c | 4 + > libavutil/channel_layout.h | 8 + > tests/fate/aac.mak | 8 + > 20 files changed, 3286 insertions(+), 235 deletions(-) > create mode 100644 libavcodec/aac/aacdec_ac.c > create mode 100644 libavcodec/aac/aacdec_ac.h > create mode 100644 libavcodec/aac/aacdec_lpd.c > create mode 100644 libavcodec/aac/aacdec_lpd.h > create mode 100644 libavcodec/aac/aacdec_usac.c > create mode 100644 libavcodec/aac/aacdec_usac.h This patchset seems to introduce some issue Ill mail you the testcase Running: 70425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_= fuzzer-6007809271988224 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D87684=3D=3DERROR: AddressSanitizer: heap-use-after-free on address 0x= 7f465944c648 at pc 0x0000004df24c bp 0x7fffbe95eac0 sp 0x7fffbe95eab8 WRITE of size 8 at 0x7f465944c648 thread T0 #0 0x4df24b in frame_configure_elements ffmpeg/libavcodec/aac/aacdec.c:= 201:44 #1 0x5083d7 in aac_decode_frame_int ffmpeg/libavcodec/aac/aacdec.c:2398= :16 #2 0x4fb930 in aac_decode_frame ffmpeg/libavcodec/aac/aacdec.c:2481:15 #3 0x68f21f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20 #4 0x68f21f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:6= 00 #5 0x68f21f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c= :631 #6 0x68dc4d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15 #7 0x4d1e65 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:= 534:25 #8 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, u= nsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 #9 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsign= ed long) Fuzzer/build/../FuzzerDriver.cpp:273:6 #10 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c= har const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 #11 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 #12 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.= 6+0x24082) #13 0x42402d in _start (ffmpeg/tools/target_dec_aac_fixed_fuzzer+0x4240= 2d) 0x7f465944c648 is located 40520 bytes inside of 642496-byte region [0x7f465= 9442800,0x7f46594df5c0) freed by thread T0 here: #0 0x49bd2d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm= /compiler-rt/lib/asan/asan_malloc_linux.cc:123:3 #1 0x4dceb0 in che_configure ffmpeg/libavcodec/aac/aacdec.c:168:9 #2 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:4= 92:15 #3 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_u= sac.c:509:11 #4 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aa= cdec.c:1050:20 #5 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacde= c.c:1094:12 #6 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20 #7 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fi= xed.c:104:12 #8 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19 #9 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:= 460:15 #10 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, = unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 #11 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsig= ned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 #12 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c= har const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 #13 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 #14 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.= 6+0x24082) previously allocated by thread T0 here: #0 0x49ca47 in posix_memalign /b/swarming/w/ir/cache/builder/src/third_= party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3 #1 0x1615548 in av_malloc ffmpeg/libavutil/mem.c:107:9 #2 0x1615ca7 in av_mallocz ffmpeg/libavutil/mem.c:258:17 #3 0x60b5af in ff_aac_sbr_ctx_alloc_init_fixed ffmpeg/libavcodec/aacsbr= _template.c:74:30 #4 0x4dcd96 in che_configure ffmpeg/libavcodec/aac/aacdec.c:149:23 #5 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:4= 92:15 #6 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_u= sac.c:509:11 #7 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aa= cdec.c:1050:20 #8 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacde= c.c:1094:12 #9 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20 #10 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_f= ixed.c:104:12 #11 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19 #12 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c= :460:15 #13 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, = unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 #14 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsig= ned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 #15 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c= har const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 #16 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 #17 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.= 6+0x24082) SUMMARY: AddressSanitizer: heap-use-after-free ffmpeg/libavcodec/aac/aacdec= =2Ec:201:44 in frame_configure_elements Shadow bytes around the buggy address: 0x0fe94b281870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b281880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b281890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b2818a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b2818b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =3D>0x0fe94b2818c0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd 0x0fe94b2818d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b2818e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b2818f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b281900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0fe94b281910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc =3D=3D87684=3D=3DABORTING [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Freedom in capitalist society always remains about the same as it was in ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin --R0sYUISimcquDWTD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZpr5ywAKCRBhHseHBAsP qwbXAJ9PJdwLrFttFHDVgxjKN3ZOmh0qygCfcdDJZLkPnALtYIvmydi9SMWz5XM= =m47I -----END PGP SIGNATURE----- --R0sYUISimcquDWTD-- --===============8010765604020912156== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============8010765604020912156==--