From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH] libavcodec/h264dec: avoid arithmetic on null pointers
Date: Thu, 2 Mar 2023 08:37:25 -0300
Message-ID: <7448f475-956c-26da-01f0-92f33ac08ba8@gmail.com> (raw)
In-Reply-To: <721e5b23-d729-3566-3d90-12c19b7716d7@gmail.com>
On 3/2/2023 8:33 AM, James Almer wrote:
> On 3/2/2023 6:05 AM, Anton Khirnov wrote:
>> Quoting Jeremy Dorfman (2023-03-01 19:50:08)
>>> null pointer arithmetic is undefined behavior in C.
>>> ---
>>> libavcodec/h264dec.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
>>> index 2d691731c5..ef698f2630 100644
>>> --- a/libavcodec/h264dec.c
>>> +++ b/libavcodec/h264dec.c
>>> @@ -912,8 +912,8 @@ static int finalize_frame(H264Context *h, AVFrame
>>> *dst, H264Picture *out, int *g
>>> av_log(h->avctx, AV_LOG_DEBUG, "Duplicating field %d to
>>> fill missing\n", field);
>>> for (p = 0; p<4; p++) {
>>> - dst_data[p] = f->data[p] + (field^1)*f->linesize[p];
>>> - src_data[p] = f->data[p] + field *f->linesize[p];
>>> + dst_data[p] = f->data[p] ? f->data[p] +
>>> (field^1)*f->linesize[p] : NULL;
>>> + src_data[p] = f->data[p] ? f->data[p] + field
>>> *f->linesize[p] : NULL;
>>
>> Why would that be NULL? Seems like something that should not happen.
>
> None of the supported pixel formats in this decoder use four planes, so
> at least the last one will always be NULL. FF_PTR_ADD() is what we did
> in similar situations, like in sws_receive_slice(), when we don't use
> some helper to get the exact number of used planes from the pixfmt
> descriptor.
http://coverage.ffmpeg.org/index.h264dec.c.8820c603e94612cd02689417231bc605.html#l912
The ubsan fate instance would have detected this long ago if we had a
sample that covers this path.
Do you happen to have one you can make public to be added to the FATE
suite, Jeremy? Or was this problem found using some static analyzer?
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2023-03-02 11:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-01 18:50 Jeremy Dorfman
2023-03-01 19:07 ` James Almer
2023-03-01 20:22 ` Jeremy Dorfman
2023-03-01 20:31 ` Jeremy Dorfman
2023-03-02 9:05 ` Anton Khirnov
2023-03-02 11:33 ` James Almer
2023-03-02 11:37 ` James Almer [this message]
2023-03-02 16:09 ` Jeremy Dorfman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7448f475-956c-26da-01f0-92f33ac08ba8@gmail.com \
--to=jamrial@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git