This was supposed to be in reply to a previous patch I sent, but I changed the git message so maybe it didn't like that. Sorry about that. Attached is the example YUVA file that can reproduce the overflow bug. The command to reproduce is: ./ffmpeg \ -f rawvideo -video_size 66x64 -pixel_format yuva420p10le \ -i overflow_input_w66h64.yuva420p10le \ -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" \ -f rawvideo -codec:v:0 rawvideo -pixel_format rgba64 -map '[out]' \ -y overflow_w66h64.rgba64 I've attached a PNG of the resulting overflowed image, there is a clear discoloration in the bottom left corner that's orange instead of pink. I've also attached a PNG of the image using the patch to correct this overflow. On Tue, Nov 1, 2022 at 3:05 PM Drew Dunne wrote: > Avoid a possible integer overflow in the yuv2rgba64 templates by using > av_sat_add32 when combing the R, G, B components with Y. On certain > inputs, this addition can overflow to a negative, is then clipped to a > power of two and shifted down 14. This results in a much different value > in the output than had it been saturated instead. I will attach an > example input YUV in a follow up and some images that show the artifacts > resulting from this overflow. > > --- > libswscale/output.c | 96 ++++++++++++++++++++++----------------------- > 1 file changed, 48 insertions(+), 48 deletions(-) > > diff --git a/libswscale/output.c b/libswscale/output.c > index 0e1c1225a0..8c8f62682a 100644 > --- a/libswscale/output.c > +++ b/libswscale/output.c > @@ -1109,20 +1109,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const > int16_t *lumFilter, > B = U * c->yuv2rgb_u2b_coeff; > > // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y1), 30) > >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y1), 30) > >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y1), 30) > >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); > - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); > - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); > - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32(R_B, Y2), > 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32( G, Y2), > 30) >> 14); > + output_pixel(&dest[6], av_clip_uintp2(av_sat_add32(B_R, Y2), > 30) >> 14); > output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); > dest += 8; > } else { > - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); > - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); > - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); > + output_pixel(&dest[3], av_clip_uintp2(av_sat_add32(R_B, Y2), > 30) >> 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32( G, Y2), > 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32(B_R, Y2), > 30) >> 14); > dest += 6; > } > } > @@ -1175,20 +1175,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const > int32_t *buf[2], > A2 += 1 << 13; > } > > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y1), 30) > >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y1), 30) > >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y1), 30) > >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); > - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); > - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); > - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32(R_B, Y2), > 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32( G, Y2), > 30) >> 14); > + output_pixel(&dest[6], av_clip_uintp2(av_sat_add32(B_R, Y2), > 30) >> 14); > output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); > dest += 8; > } else { > - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); > - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); > - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); > + output_pixel(&dest[3], av_clip_uintp2(av_sat_add32(R_B, Y2), > 30) >> 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32( G, Y2), > 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32(B_R, Y2), > 30) >> 14); > dest += 6; > } > } > @@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const > int32_t *buf0, > G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; > B = U * c->yuv2rgb_u2b_coeff; > > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y1), > 30) >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y1), > 30) >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y1), > 30) >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> > 14); > - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> > 14); > - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> > 14); > - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> > 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32(R_B, > Y2), 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32( G, > Y2), 30) >> 14); > + output_pixel(&dest[6], av_clip_uintp2(av_sat_add32(B_R, > Y2), 30) >> 14); > output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> > 14); > dest += 8; > } else { > - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> > 14); > - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> > 14); > - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> > 14); > + output_pixel(&dest[3], av_clip_uintp2(av_sat_add32(R_B, > Y2), 30) >> 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32( G, > Y2), 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32(B_R, > Y2), 30) >> 14); > dest += 6; > } > } > @@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const > int32_t *buf0, > G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; > B = U * c->yuv2rgb_u2b_coeff; > > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y1), > 30) >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y1), > 30) >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y1), > 30) >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> > 14); > - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> > 14); > - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> > 14); > - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> > 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32(R_B, > Y2), 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32( G, > Y2), 30) >> 14); > + output_pixel(&dest[6], av_clip_uintp2(av_sat_add32(B_R, > Y2), 30) >> 14); > output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> > 14); > dest += 8; > } else { > - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> > 14); > - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> > 14); > - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> > 14); > + output_pixel(&dest[3], av_clip_uintp2(av_sat_add32(R_B, > Y2), 30) >> 14); > + output_pixel(&dest[4], av_clip_uintp2(av_sat_add32( G, > Y2), 30) >> 14); > + output_pixel(&dest[5], av_clip_uintp2(av_sat_add32(B_R, > Y2), 30) >> 14); > dest += 6; > } > } > @@ -1351,9 +1351,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const > int16_t *lumFilter, > B = U * c->yuv2rgb_u2b_coeff; > > // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y), 30) > >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y), 30) > >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y), 30) > >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); > dest += 4; > @@ -1404,9 +1404,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const > int32_t *buf[2], > A += 1 << 13; > } > > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y), 30) > >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y), 30) > >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y), 30) > >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); > dest += 4; > @@ -1448,9 +1448,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const > int32_t *buf0, > G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; > B = U * c->yuv2rgb_u2b_coeff; > > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y), > 30) >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y), > 30) >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y), > 30) >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); > dest += 4; > @@ -1481,9 +1481,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const > int32_t *buf0, > G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; > B = U * c->yuv2rgb_u2b_coeff; > > - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); > - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); > - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); > + output_pixel(&dest[0], av_clip_uintp2(av_sat_add32(R_B, Y), > 30) >> 14); > + output_pixel(&dest[1], av_clip_uintp2(av_sat_add32( G, Y), > 30) >> 14); > + output_pixel(&dest[2], av_clip_uintp2(av_sat_add32(B_R, Y), > 30) >> 14); > if (eightbytes) { > output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); > dest += 4; > -- > 2.38.1.273.g43a17bfeac-goog > > -- Drew Dunne asdunne@google.com