[FFmpeg-devel] [PATCH 04/13] avcodec/h263dec: Clean intra tables in decoder, not ff_mpv_reconstruct_mb

From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Cc: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Subject: [FFmpeg-devel] [PATCH 04/13] avcodec/h263dec: Clean intra tables in decoder, not ff_mpv_reconstruct_mb
Date: Mon,  1 Jul 2024 14:16:01 +0200
Message-ID: <GV1P250MB0737504FDE53C85A73198ED78FD32@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <GV1P250MB0737B9F8B8BA2F37597B5A598FD32@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM>

This is a more appropriate place than a function designed
to reconstruct a macroblock. It furthermore limits these checks
to the codecs that actually need it (and removes it from e.g.
RV10 and RV20 -- the latter actually uses these buffers, but
only for intra-frames, so they don't need to be cleaned
manually).

This furthermore means that ff_mpv_reconstruct_mb() and therefore
also the error-resilience code no longer needs block_index set.
This fixes a crash caused by 65d5ccb808ec93de46a2458ea8cc082ce4460f34
when ff_mpv_reconstruct_mb() is called by VC-1 code without
block_index being initialized properly (VC-1 uses and initializes
block_index itself normally).

Fixes: 69814/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4868081575329792
Fixes: heap-buffer-overflow

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/h263dec.c                     | 9 +++++++++
 libavcodec/mpv_reconstruct_mb_template.c | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 0c23012584..3e9da23d3a 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -271,6 +271,15 @@ static int decode_slice(MpegEncContext *s)
             ff_tlog(NULL, "Decoding MB at %dx%d\n", s->mb_x, s->mb_y);
             ret = s->decode_mb(s, s->block);
 
+            if (s->h263_pred || s->h263_aic) {
+                int mb_xy = s->mb_y * s->mb_stride + s->mb_x;
+                if (!s->mb_intra) {
+                    if (s->mbintra_table[mb_xy])
+                        ff_clean_intra_table_entries(s);
+                } else
+                    s->mbintra_table[mb_xy] = 1;
+            }
+
             if (s->pict_type != AV_PICTURE_TYPE_B)
                 ff_h263_update_motion_val(s);
 
diff --git a/libavcodec/mpv_reconstruct_mb_template.c b/libavcodec/mpv_reconstruct_mb_template.c
index f1cb0d7989..981c837642 100644
--- a/libavcodec/mpv_reconstruct_mb_template.c
+++ b/libavcodec/mpv_reconstruct_mb_template.c
@@ -61,6 +61,7 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
 
     s->cur_pic.qscale_table[mb_xy] = s->qscale;
 
+#if IS_ENCODER
     /* update DC predictors for P macroblocks */
     if (!s->mb_intra) {
         if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic)) {
@@ -70,7 +71,6 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
     } else if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic))
         s->mbintra_table[mb_xy] = 1;
 
-#if IS_ENCODER
     if ((s->avctx->flags & AV_CODEC_FLAG_PSNR) || s->frame_skip_threshold || s->frame_skip_factor ||
         !((s->intra_only || s->pict_type == AV_PICTURE_TYPE_B) &&
           s->avctx->mb_decision != FF_MB_DECISION_RD))  // FIXME precalc
-- 
2.40.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
