From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 68CD144D6D
	for <ffmpegdev@gitmailbox.com>; Mon, 21 Nov 2022 10:50:16 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5F57168BD29;
	Mon, 21 Nov 2022 12:50:13 +0200 (EET)
Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com
 [209.85.208.170])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A259868BBEE
 for <ffmpeg-devel@ffmpeg.org>; Mon, 21 Nov 2022 12:50:06 +0200 (EET)
Received: by mail-lj1-f170.google.com with SMTP id h12so14021568ljg.9
 for <ffmpeg-devel@ffmpeg.org>; Mon, 21 Nov 2022 02:50:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=GDts3GXIo8FelM/qOIkrcwsw5bgpubuZ2j/41m3U1Pw=;
 b=ORR4ch7YeaEwYpYgeyefO54thocGagQpKRTD1JEBxGfJn/tBBHBaa02qg7WEZsaBMI
 7nEEjWrV1QdCzCmcO5A97TIuWOmFrmA40uYWVcq7dzrbe0DvBhQ0Jk+i9h/O1q0DFttU
 OjD88RaWa/6KAjzqguTI/EgtW1t9sXXeTGXvk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=GDts3GXIo8FelM/qOIkrcwsw5bgpubuZ2j/41m3U1Pw=;
 b=T06+RiB/pxeQqnh6f7uVZvR+ULyWQkLHkl3Sy+ywIQuGK0cXhGVIvwDyQ8brI6wYyH
 BQWiDUIKCv/3yR3raWgBwREiFGJlXxCVnRCg5jaLlkZn+Zpv7tyDTplvGCDRVMvn7W6h
 uX6sAPNsULpDhHohVgCAMddDeDuyx3GhFlR2sfrgmA4FJmmqmO+EXXxAywpD/JAxjzJu
 6bJyhAnuXPFgWNrJ09TX/haDKN+lZlpq5no0qZOkgJgmhfwUKQIu5hLdQayWxKa1/cwk
 CJQ5UBcE/HyjSColiOuM7LPEktBcZeo6tE2NcL/hayL4uTsKO0SKLTa9UHfypV9Z2Y00
 MBWA==
X-Gm-Message-State: ANoB5pkGsjFTAFaillDeoDfwhmed59FyLHczjblci4INne5z9o+jNCvI
 pnEUBJG8eISjdCDJqF2mJx/cjTO9eviL9tphHZ56og==
X-Google-Smtp-Source: AA0mqf53gaCZfD6EcE0MAtd7kNLHkXGdPYW0Ij7S1WnM3PBVJEYqmIa9S1xBqOIigJQaYeEg+PX5MCQJS72GR+YW2no=
X-Received: by 2002:a2e:be28:0:b0:278:f1a5:a361 with SMTP id
 z40-20020a2ebe28000000b00278f1a5a361mr1779215ljq.124.1669027805767; Mon, 21
 Nov 2022 02:50:05 -0800 (PST)
MIME-Version: 1.0
References: <20221118132850.5020-1-rsbultje@gmail.com>
 <20221118133738.5065-1-rsbultje@gmail.com>
 <CAEEMt2kKWTG2DCsHQsWFXQrOG6iT9eDUpNf9FKpronmJxVjnvA@mail.gmail.com>
In-Reply-To: <CAEEMt2kKWTG2DCsHQsWFXQrOG6iT9eDUpNf9FKpronmJxVjnvA@mail.gmail.com>
From: Hirokazu Honda <hiroh@chromium.org>
Date: Mon, 21 Nov 2022 19:49:54 +0900
Message-ID: <CAO5uPHNJL+hn71sez=1ZxfkPdyFFKoKfWq4wU66mG=Va87EM=A@mail.gmail.com>
To: "Ronald S. Bultje" <rsbultje@gmail.com>
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/vp8: Fix wrong vpx_rac_is_end()
 check
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: ffmpeg-devel@ffmpeg.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/CAO5uPHNJL+hn71sez=1ZxfkPdyFFKoKfWq4wU66mG=Va87EM=A@mail.gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Hi Ronald,

I am sorry for the late reply.
The bool decoder for the vp8 headr context can have already reached
the end of buffer when it is no longer used.
We should not check it here.
Adding the check for coeff_c there sounds good to me because coeff_c
must not have reached the end of the buffer in calling
decode_mb_coeffs().
And thanks for merging!

Thanks,
-Hiro
On Sun, Nov 20, 2022 at 12:55 AM Ronald S. Bultje <rsbultje@gmail.com> wrote:
>
> Hi,
>
> On Fri, Nov 18, 2022 at 8:37 AM Ronald S. Bultje <rsbultje@gmail.com> wrote:
>>
>> From: Hirokazu Honda <hiroh@chromium.org>
>>
>> The check of vpx_rac_is_end check(s) are added originally from
>> 1afd246960202917e244c844c534e9c1e3c323f5. It causes a regression
>> of some vp8 stream. b6b9ac5698c8f911841b469af77199153278c55c fixes
>> the regression by a sort of band-aid way. This fixes the wrongness
>> of the original commit. vpx_rac_is_end() should be called against
>> the bool decoder for the vp8 headr context, not one for each
>> coefficient. Reference is vp8_dixie_tokens_process_row() in token.c
>> in spec 20.16.
>>
>> Fixes: Ticket 8069
>> Fixes: regression of 1afd246960202917e244c844c534e9c1e3c323f5.
>> Fixes: b6b9ac5698c8f911841b469af77199153278c55c
>>
>> Co-authored-by: Ronald S. Bultje <rsbultje@gmail.com>
>> Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
>> Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
>> ---
>>  libavcodec/vp8.c | 14 +++++++++-----
>>  1 file changed, 9 insertions(+), 5 deletions(-)
>>
>> diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
>> index 67f36d8933..db2419deaf 100644
>> --- a/libavcodec/vp8.c
>> +++ b/libavcodec/vp8.c
>> @@ -2404,7 +2404,8 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void
>>      int num_jobs = s->num_jobs;
>>      const VP8Frame *prev_frame = s->prev_frame;
>>      VP8Frame *curframe = s->curframe;
>> -    VPXRangeCoder *c  = &s->coeff_partition[mb_y & (s->num_coeff_partitions - 1)];
>> +    VPXRangeCoder *coeff_c  = &s->coeff_partition[mb_y & (s->num_coeff_partitions - 1)];
>> +
>>      VP8Macroblock *mb;
>>      uint8_t *dst[3] = {
>>          curframe->tf.f->data[0] + 16 * mb_y * s->linesize,
>> @@ -2412,7 +2413,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void
>>          curframe->tf.f->data[2] +  8 * mb_y * s->uvlinesize
>>      };
>>
>> -    if (vpx_rac_is_end(c))
>> +    if (vpx_rac_is_end(&s->c))
>>           return AVERROR_INVALIDDATA;
>>
>>      if (mb_y == 0)
>> @@ -2443,7 +2444,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void
>>      td->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN;
>>
>>      for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) {
>> -        if (vpx_rac_is_end(c))
>> +        if (vpx_rac_is_end(&s->c))
>>              return AVERROR_INVALIDDATA;
>>          // Wait for previous thread to read mb_x+2, and reach mb_y-1.
>>          if (prev_td != td) {
>> @@ -2470,8 +2471,11 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void
>>
>>          prefetch_motion(s, mb, mb_x, mb_y, mb_xy, VP8_FRAME_PREVIOUS);
>>
>> -        if (!mb->skip)
>> -            decode_mb_coeffs(s, td, c, mb, s->top_nnz[mb_x], td->left_nnz, is_vp7);
>> +        if (!mb->skip) {
>> +            if (vpx_rac_is_end(coeff_c))
>> +                return AVERROR_INVALIDDATA;
>> +            decode_mb_coeffs(s, td, coeff_c, mb, s->top_nnz[mb_x], td->left_nnz, is_vp7);
>> +        }
>>
>>          if (mb->mode <= MODE_I4x4)
>>              intra_predict(s, td, dst, mb, mb_x, mb_y, is_vp7);
>> --
>> 2.38.1
>
>
> Pushed.
>
> Ronald
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".