* [FFmpeg-devel] [PATCH 0/4] Opus
@ 2025-07-04 10:35 ffmpegagent
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size Andreas Rheinhardt
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: ffmpegagent @ 2025-07-04 10:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: mkver
This main aim of this patchset designed to fix the UB in opus-testvector02
without adding branches.
Andreas Rheinhardt (4):
avcodec/opus/dec: Don't use outdated size
avcodec/opus/dec: Remove unused parameters
avcodec/opus/dec: Don't call function multiple times in FFMAX
avcodec/opus/dec: Simplify resetting AVAudioFifo
libavcodec/opus/dec.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
base-commit: 0fe9f25e76163613505f77a8036dc62524070f0a
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-105%2Fmkver%2Fopus_ub-v1
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-105/mkver/opus_ub-v1
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/105
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size
2025-07-04 10:35 [FFmpeg-devel] [PATCH 0/4] Opus ffmpegagent
@ 2025-07-04 10:35 ` Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 2/4] avcodec/opus/dec: Remove unused parameters Andreas Rheinhardt
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Andreas Rheinhardt @ 2025-07-04 10:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
When flushing, the code would use subpacket sizes from the last
proper packet sent and use this to offset the NULL buf variable
which is UB (this happens in the opus-testvector02 FATE-test).
This also has the potential to make buf != NULL, so that one
would enter the codepath for non-flush packets and try to parse
a subpacket, erroring out because the size would be negative
(I don't have a sample for this as the testvector02 sample
only uses one stream).
Fix this by not using wrong sizes.
Fixes: libavcodec/opus/dec.c:588:18: runtime error: applying non-zero offset 10 to null pointer
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/opus/dec.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index 6c59dc1f46..a43146c82c 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -484,6 +484,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
int coded_samples = 0;
int decoded_samples = INT_MAX;
int delayed_samples = 0;
+ int subpacket_size = 0;
int i, ret;
/* calculate the number of delayed samples */
@@ -504,6 +505,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
return ret;
}
coded_samples += pkt->frame_count * pkt->frame_duration;
+ subpacket_size = pkt->packet_size;
c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config);
}
@@ -575,6 +577,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
return AVERROR_INVALIDDATA;
}
+ subpacket_size = s->packet.packet_size;
s->silk_samplerate = get_silk_samplerate(s->packet.config);
}
@@ -585,8 +588,8 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
s->decoded_samples = ret;
decoded_samples = FFMIN(decoded_samples, ret);
- buf += s->packet.packet_size;
- buf_size -= s->packet.packet_size;
+ buf = FF_PTR_ADD(buf, subpacket_size);
+ buf_size -= subpacket_size;
}
/* buffer the extra samples */
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avcodec/opus/dec: Remove unused parameters
2025-07-04 10:35 [FFmpeg-devel] [PATCH 0/4] Opus ffmpegagent
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size Andreas Rheinhardt
@ 2025-07-04 10:35 ` Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 3/4] avcodec/opus/dec: Don't call function multiple times in FFMAX Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 4/4] avcodec/opus/dec: Simplify resetting AVAudioFifo Andreas Rheinhardt
3 siblings, 0 replies; 5+ messages in thread
From: Andreas Rheinhardt @ 2025-07-04 10:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The parameters here are not only unused, but buf_size's value
is actually wrong when flushing (it comes from the subpacket
of the last packet sent and is therefore outdated).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/opus/dec.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index a43146c82c..05f7a12d8e 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -393,9 +393,7 @@ static int opus_decode_frame(OpusStreamContext *s, const uint8_t *data, int size
return samples;
}
-static int opus_decode_subpacket(OpusStreamContext *s,
- const uint8_t *buf, int buf_size,
- int nb_samples)
+static int opus_decode_subpacket(OpusStreamContext *s, const uint8_t *buf)
{
int output_samples = 0;
int flush_needed = 0;
@@ -581,8 +579,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
s->silk_samplerate = get_silk_samplerate(s->packet.config);
}
- ret = opus_decode_subpacket(&c->streams[i], buf, s->packet.data_size,
- coded_samples);
+ ret = opus_decode_subpacket(&c->streams[i], buf);
if (ret < 0)
return ret;
s->decoded_samples = ret;
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avcodec/opus/dec: Don't call function multiple times in FFMAX
2025-07-04 10:35 [FFmpeg-devel] [PATCH 0/4] Opus ffmpegagent
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 2/4] avcodec/opus/dec: Remove unused parameters Andreas Rheinhardt
@ 2025-07-04 10:35 ` Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 4/4] avcodec/opus/dec: Simplify resetting AVAudioFifo Andreas Rheinhardt
3 siblings, 0 replies; 5+ messages in thread
From: Andreas Rheinhardt @ 2025-07-04 10:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/opus/dec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index 05f7a12d8e..b0e149e636 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -490,8 +490,9 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
OpusStreamContext *s = &c->streams[i];
s->out[0] =
s->out[1] = NULL;
+ int fifo_samples = av_audio_fifo_size(s->sync_buffer);
delayed_samples = FFMAX(delayed_samples,
- s->delayed_samples + av_audio_fifo_size(s->sync_buffer));
+ s->delayed_samples + fifo_samples);
}
/* decode the header of the first sub-packet to find out the sample count */
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avcodec/opus/dec: Simplify resetting AVAudioFifo
2025-07-04 10:35 [FFmpeg-devel] [PATCH 0/4] Opus ffmpegagent
` (2 preceding siblings ...)
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 3/4] avcodec/opus/dec: Don't call function multiple times in FFMAX Andreas Rheinhardt
@ 2025-07-04 10:35 ` Andreas Rheinhardt
3 siblings, 0 replies; 5+ messages in thread
From: Andreas Rheinhardt @ 2025-07-04 10:35 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/opus/dec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index b0e149e636..3118f2b99c 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -323,7 +323,7 @@ static int opus_decode_frame(OpusStreamContext *s, const uint8_t *data, int size
} else {
av_log(s->avctx, AV_LOG_WARNING,
"Spurious CELT delay samples present.\n");
- av_audio_fifo_drain(s->celt_delay, delay_samples);
+ av_audio_fifo_reset(s->celt_delay);
if (s->avctx->err_recognition & AV_EF_EXPLODE)
return AVERROR_BUG;
}
@@ -640,10 +640,10 @@ static av_cold void opus_decode_flush(AVCodecContext *ctx)
memset(&s->packet, 0, sizeof(s->packet));
s->delayed_samples = 0;
- av_audio_fifo_drain(s->celt_delay, av_audio_fifo_size(s->celt_delay));
+ av_audio_fifo_reset(s->celt_delay);
swr_close(s->swr);
- av_audio_fifo_drain(s->sync_buffer, av_audio_fifo_size(s->sync_buffer));
+ av_audio_fifo_reset(s->sync_buffer);
ff_silk_flush(s->silk);
ff_celt_flush(s->celt);
--
ffmpeg-codebot
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-07-04 10:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-04 10:35 [FFmpeg-devel] [PATCH 0/4] Opus ffmpegagent
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 2/4] avcodec/opus/dec: Remove unused parameters Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 3/4] avcodec/opus/dec: Don't call function multiple times in FFMAX Andreas Rheinhardt
2025-07-04 10:35 ` [FFmpeg-devel] [PATCH 4/4] avcodec/opus/dec: Simplify resetting AVAudioFifo Andreas Rheinhardt
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git