From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 65BAD4C7F1 for ; Thu, 7 Aug 2025 21:20:36 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1280A68CC09; Fri, 8 Aug 2025 00:20:32 +0300 (EEST) Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 8546F68BE1D for ; Fri, 8 Aug 2025 00:20:25 +0300 (EEST) Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-5f438523d6fso1238a12.1 for ; Thu, 07 Aug 2025 14:20:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1754601624; x=1755206424; darn=ffmpeg.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=0F5pG0kkcl6swZUx4CBl6OuY6YawnoGYNmkP85sZmzY=; b=B6ElBeZn+JHXpDlqCOZ0exHGcF9ae5BYDKolAFObOaG7nkE8dJ1cgOGVibx0M67yJn YNCEX5BIMyLJINt/KJ0wLJBwwIL3LkiPFfJ3UrQ9+GjeU0sipG4tzh4Lhdk+S76J5hKd EsGp8NsgEFbQaT1Sv0cw0iCRX6+tyBzRSPrtc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754601624; x=1755206424; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0F5pG0kkcl6swZUx4CBl6OuY6YawnoGYNmkP85sZmzY=; b=CE4wchQMJuFb9lZi9iSVD1yD5+iKIDT7/xMR7MDNML0pJBhPSVs6XP0St00FXZ+YHo aFsbG0g0dLVuGBV6K2XFVWGCwnTQP43wN+Hn5ISZJ5aGhd6YfGg4bS6sCyz+jr13VUC/ VopkQPvhfvKiwqn4lg/yRQ9WSXLp7hGSqTuYrY7ftEletXPxjdcF+mP1tsZHjQVdgqv0 hxYezlgRc7FDB4kTEeW6UseAg+Cw7cVYHDfByir4nG7tfUh+7kYt37ZlqH5I6m3DmzSf cOTq7R3t/yDpVF2Za05yKc83b0JLztsHbp5V3z2/iNJNWYRZzcM3p36bGRpXWnP66FoW hQvQ== X-Gm-Message-State: AOJu0Yzk2xb6rpdes6uosdbqoSTLMuVtR+EcRZNAbgTm1jQR+1DFZ8kq h/TU5Cy2GQFlkEdamPW0S0Dv3DPwhiHsizWMpLJUV/7eaUSn+rRs+oPOoYf6VLmlxpKAJHPZVmS pZOG0lJiaRNlJhMof7NGHXqN4rQyIOxgQKcMtM7+laWYzMexlaAcsyQ== X-Gm-Gg: ASbGncvYIsmGDcD/3vu/4xj7VIunmG+HE+REvZAIx7oS0czDIKCuYzUbz69EotqiVyy Cq8ZM8hyOd0wOxYcKCJ/BdX1wb/Ronli0TuGuCUrE4O8cHb5Y3YMyEJZ0pWyeHym2FZ0ucUwh/A iFWl0hDesXg2vhXBLh1azzrBxCcAq2suMlffbUu8eVRiNRssieiBbUR11rfPx/h/IVVPTiSCY/k e5yCeZWwfoLn9jf+9SXAReROFe6Ipg/RRFLfZbHnzi0 X-Google-Smtp-Source: AGHT+IFGz3Z0T+C0+NjCJNiCLDLvL4E4+Tf+/WnSVAFi3DidxxRutvS6g6aSwkJuLjXzGXPSp/jnE7LBgb0x/iH6fXo= X-Received: by 2002:a50:cd94:0:b0:617:d021:485b with SMTP id 4fb4d7f45d1cf-617e1643924mr20860a12.4.1754601623881; Thu, 07 Aug 2025 14:20:23 -0700 (PDT) MIME-Version: 1.0 References: <20250806220524.GY29660@pb2> In-Reply-To: <20250806220524.GY29660@pb2> From: Dale Curtis Date: Thu, 7 Aug 2025 14:20:11 -0700 X-Gm-Features: Ac12FXyVmEiME-R2pmdeczZdCClNgjKad5E3WvtOrt5VYjf9MZfC_D9GTpsPwJs Message-ID: To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="00000000000084688c063bcd06df" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: [FFmpeg-devel] [h264] Make ff_h264_build_ref_list stricter with AV_EF_EXPLODE X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --00000000000084688c063bcd06df Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Aug 6, 2025 at 3:05=E2=80=AFPM Michael Niedermayer wrote: > Hi > > On Tue, Aug 05, 2025 at 02:52:28PM -0700, Dale Curtis wrote: > > Don't silently skip errors when AV_EF_EXPLODE is specified. This can > > lead to out-of-bound reads with ff_put_h264_chroma_mc4_ssse3() when > > small padding is used with the checked bitstream reader. > > > > Signed-off-by: Dale Curtis > > > h264_refs.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > e453856d1d24c3a4c2e42d61acdeff3b09b226da h264_stricter_v1.patch > > From 46b2fa1ec0cbd00c4fd3909665608d79760654d0 Mon Sep 17 00:00:00 2001 > > From: Dale Curtis > > Date: Tue, 5 Aug 2025 21:45:19 +0000 > > Subject: [PATCH] Make ff_h264_build_ref_list stricter with AV_EF_EXPLOD= E > > > > > Don't silently skip errors when AV_EF_EXPLODE is specified. > > ok > > > > This can > > lead to out-of-bound reads with ff_put_h264_chroma_mc4_ssse3() when > > small padding is used with the checked bitstream reader. > > this sounds a bit fishy > I've sent you some details privately about how we end up here. I can drop this from the patch set if you prefer. > > > > > > Signed-off-by: Dale Curtis > > --- > > libavcodec/h264_refs.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c > > index 74840e5909..e6e3adf502 100644 > > --- a/libavcodec/h264_refs.c > > +++ b/libavcodec/h264_refs.c > > @@ -370,6 +370,9 @@ int ff_h264_build_ref_list(H264Context *h, > H264SliceContext *sl) > > i < 0 ? "reference picture missing during > reorder\n" : > > "mismatching reference\n" > > ); > > + if (h->avctx->err_recognition & AV_EF_EXPLODE) { > > + return AVERROR_INVALIDDATA; > > + } > > indention depth is 4 in ffmpeg consistently > Done. > > > > memset(&sl->ref_list[list][index], 0, > sizeof(sl->ref_list[0][0])); // FIXME > > } else { > > for (i =3D index; i + 1 < sl->ref_count[list]; i++) { > > @@ -392,6 +395,10 @@ int ff_h264_build_ref_list(H264Context *h, > H264SliceContext *sl) > > for (int index =3D 0; index < sl->ref_count[list]; index++) { > > if ( !sl->ref_list[list][index].parent > > || (!FIELD_PICTURE(h) && > (sl->ref_list[list][index].reference&3) !=3D 3)) { > > + if (h->avctx->err_recognition & AV_EF_EXPLODE) { > > + av_log(h->avctx, AV_LOG_ERROR, "Missing reference > picture\n"); > > + return AVERROR_INVALIDDATA; > > + } > > av_log(h->avctx, AV_LOG_ERROR, "Missing reference > picture, default is %d\n", h->default_ref[list].poc); > > the error out can be after this av_log() avoiding the 2nd av_log() in the > if() > I didn't make this change, but can if you prefer. The existing log implies a default is set, but the new log simply indicates the reference picture missing is a fatal error. > > thx > > [...] > > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > I am the wisest man alive, for I know one thing, and that is that I know > nothing. -- Socrates > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > --00000000000084688c063bcd06df Content-Type: application/octet-stream; name="h264_stricter_v2.patch" Content-Disposition: attachment; filename="h264_stricter_v2.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_me1wge610 RnJvbSBjNTE2ZmZkYmJiOWJlOGQ2NmM5NjM4NDU4N2I4N2Y5ZmQ2YjJhOGI4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBEYWxlIEN1cnRpcyA8ZGFsZWN1cnRpc0BjaHJvbWl1bS5vcmc+ CkRhdGU6IFR1ZSwgNSBBdWcgMjAyNSAyMTo0NToxOSArMDAwMApTdWJqZWN0OiBbUEFUQ0hdIE1h a2UgZmZfaDI2NF9idWlsZF9yZWZfbGlzdCBzdHJpY3RlciB3aXRoIEFWX0VGX0VYUExPREUKCkRv bid0IHNpbGVudGx5IHNraXAgZXJyb3JzIHdoZW4gQVZfRUZfRVhQTE9ERSBpcyBzcGVjaWZpZWQu IFRoaXMgY2FuCmxlYWQgdG8gb3V0LW9mLWJvdW5kIHJlYWRzIHdpdGggZmZfcHV0X2gyNjRfY2hy b21hX21jNF9zc3NlMygpIHdoZW4Kc21hbGwgcGFkZGluZyBpcyB1c2VkIHdpdGggdGhlIGNoZWNr ZWQgYml0c3RyZWFtIHJlYWRlci4KClNpZ25lZC1vZmYtYnk6IERhbGUgQ3VydGlzIDxkYWxlY3Vy dGlzQGNocm9taXVtLm9yZz4KLS0tCiBsaWJhdmNvZGVjL2gyNjRfcmVmcy5jIHwgNyArKysrKysr CiAxIGZpbGUgY2hhbmdlZCwgNyBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEvbGliYXZjb2Rl Yy9oMjY0X3JlZnMuYyBiL2xpYmF2Y29kZWMvaDI2NF9yZWZzLmMKaW5kZXggNzQ4NDBlNTkwOS4u NjA4ZTEzZDdkNSAxMDA2NDQKLS0tIGEvbGliYXZjb2RlYy9oMjY0X3JlZnMuYworKysgYi9saWJh dmNvZGVjL2gyNjRfcmVmcy5jCkBAIC0zNzAsNiArMzcwLDkgQEAgaW50IGZmX2gyNjRfYnVpbGRf cmVmX2xpc3QoSDI2NENvbnRleHQgKmgsIEgyNjRTbGljZUNvbnRleHQgKnNsKQogICAgICAgICAg ICAgICAgICAgICAgICBpIDwgMCA/ICJyZWZlcmVuY2UgcGljdHVyZSBtaXNzaW5nIGR1cmluZyBy ZW9yZGVyXG4iIDoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAibWlzbWF0Y2hpbmcg cmVmZXJlbmNlXG4iCiAgICAgICAgICAgICAgICAgICAgICAgKTsKKyAgICAgICAgICAgICAgICBp ZiAoaC0+YXZjdHgtPmVycl9yZWNvZ25pdGlvbiAmIEFWX0VGX0VYUExPREUpIHsKKyAgICAgICAg ICAgICAgICAgICAgcmV0dXJuIEFWRVJST1JfSU5WQUxJRERBVEE7CisgICAgICAgICAgICAgICAg fQogICAgICAgICAgICAgICAgIG1lbXNldCgmc2wtPnJlZl9saXN0W2xpc3RdW2luZGV4XSwgMCwg c2l6ZW9mKHNsLT5yZWZfbGlzdFswXVswXSkpOyAvLyBGSVhNRQogICAgICAgICAgICAgfSBlbHNl IHsKICAgICAgICAgICAgICAgICBmb3IgKGkgPSBpbmRleDsgaSArIDEgPCBzbC0+cmVmX2NvdW50 W2xpc3RdOyBpKyspIHsKQEAgLTM5Miw2ICszOTUsMTAgQEAgaW50IGZmX2gyNjRfYnVpbGRfcmVm X2xpc3QoSDI2NENvbnRleHQgKmgsIEgyNjRTbGljZUNvbnRleHQgKnNsKQogICAgICAgICBmb3Ig KGludCBpbmRleCA9IDA7IGluZGV4IDwgc2wtPnJlZl9jb3VudFtsaXN0XTsgaW5kZXgrKykgewog ICAgICAgICAgICAgaWYgKCAgICFzbC0+cmVmX2xpc3RbbGlzdF1baW5kZXhdLnBhcmVudAogICAg ICAgICAgICAgICAgIHx8ICghRklFTERfUElDVFVSRShoKSAmJiAoc2wtPnJlZl9saXN0W2xpc3Rd W2luZGV4XS5yZWZlcmVuY2UmMykgIT0gMykpIHsKKyAgICAgICAgICAgICAgICBpZiAoaC0+YXZj dHgtPmVycl9yZWNvZ25pdGlvbiAmIEFWX0VGX0VYUExPREUpIHsKKyAgICAgICAgICAgICAgICAg ICAgYXZfbG9nKGgtPmF2Y3R4LCBBVl9MT0dfRVJST1IsICJNaXNzaW5nIHJlZmVyZW5jZSBwaWN0 dXJlXG4iKTsKKyAgICAgICAgICAgICAgICAgICAgcmV0dXJuIEFWRVJST1JfSU5WQUxJRERBVEE7 CisgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgIGF2X2xvZyhoLT5hdmN0eCwgQVZf TE9HX0VSUk9SLCAiTWlzc2luZyByZWZlcmVuY2UgcGljdHVyZSwgZGVmYXVsdCBpcyAlZFxuIiwg aC0+ZGVmYXVsdF9yZWZbbGlzdF0ucG9jKTsKIAogICAgICAgICAgICAgICAgIGZvciAoaW50IGkg PSAwOyBpIDwgRkZfQVJSQVlfRUxFTVMoaC0+bGFzdF9wb2NzKTsgaSsrKQotLSAKMi41MC4xLjcw My5nNDQ5MzcyMzYwZi1nb29nCgo= --00000000000084688c063bcd06df Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --00000000000084688c063bcd06df--