Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Cc: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Subject: [FFmpeg-devel] [PATCH 4/6] avcodec/vp3: Fix undefined pointer arithmetic
Date: Fri, 15 Sep 2023 16:47:26 +0200
Message-ID: <AS8P250MB07448FF502A0A661A49A94628FF6A@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <AS8P250MB074416F35B7E361995963E6D8FF0A@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM>

When decoding a keyframe, last_frame and golden_frame are
not used at all and (at least when starting decoding)
are not set at all. But due to code sharing pointer arithmetic
on the NULL data-pointers of these frames has nevertheless
been performed. This is undefined behaviour and causes e.g.
"runtime error: applying non-zero offset 173440 to null pointer"
from UBSan in the vp31, vp4, theora-coeff-level64 and theora-offset
FATE-tests.

Fix this by reusing the current frame for unavailable frames.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/vp3.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 33c120a58e..5ce1ecfce7 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2056,6 +2056,14 @@ static void render_slice(Vp3DecodeContext *s, int slice)
 {
     int16_t *block = s->block;
     int motion_x = 0xdeadbeef, motion_y = 0xdeadbeef;
+    /* When decoding keyframes, the earlier frames may not be available,
+     * so to avoid using undefined pointer arithmetic on them we just
+     * use the current frame instead. Nothing is ever read from these
+     * frames in case of a keyframe. */
+    const AVFrame *last_frame   = s->last_frame.f->data[0]   ?
+                                      s->last_frame.f   : s->current_frame.f;
+    const AVFrame *golden_frame = s->golden_frame.f->data[0] ?
+                                      s->golden_frame.f : s->current_frame.f;
     int motion_halfpel_index;
     int first_pixel;
 
@@ -2065,9 +2073,9 @@ static void render_slice(Vp3DecodeContext *s, int slice)
     for (int plane = 0; plane < 3; plane++) {
         uint8_t *output_plane = s->current_frame.f->data[plane] +
                                 s->data_offset[plane];
-        const uint8_t *last_plane = s->last_frame.f->data[plane] +
+        const uint8_t *last_plane = last_frame->data[plane] +
                               s->data_offset[plane];
-        const uint8_t *golden_plane = s->golden_frame.f->data[plane] +
+        const uint8_t *golden_plane = golden_frame->data[plane] +
                                 s->data_offset[plane];
         ptrdiff_t stride = s->current_frame.f->linesize[plane];
         int plane_width  = s->width  >> (plane && s->chroma_x_shift);
-- 
2.34.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  parent reply	other threads:[~2023-09-15 14:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-13 14:23 [FFmpeg-devel] [PATCH 1/3] avcodec/vp3: Move work after ff_thread_finish_setup Andreas Rheinhardt
2023-09-13 14:25 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vp3: Add const where appropriate Andreas Rheinhardt
2023-09-13 14:25 ` [FFmpeg-devel] [PATCH 3/3] avcodec/vp3: Use range-based loop variables Andreas Rheinhardt
2023-09-15 11:06 ` [FFmpeg-devel] [PATCH 1/3] avcodec/vp3: Move work after ff_thread_finish_setup Andreas Rheinhardt
2023-09-15 14:47 ` Andreas Rheinhardt [this message]
2023-09-17  0:09   ` [FFmpeg-devel] [PATCH 4/6] avcodec/vp3: Fix undefined pointer arithmetic Andreas Rheinhardt
2023-09-15 14:47 ` [FFmpeg-devel] [PATCH 5/6] avcodec/vp3: Simplify shuffling frames, fix crash on alloc error Andreas Rheinhardt
2023-09-15 14:47 ` [FFmpeg-devel] [PATCH 6/6] avcodec/vp3: Don't truncate ptrdiff_t Andreas Rheinhardt
2023-09-15 15:28   ` Paul B Mahol

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=AS8P250MB07448FF502A0A661A49A94628FF6A@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM \
    --to=andreas.rheinhardt@outlook.com \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git