From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id E463D4B11F for ; Mon, 1 Jul 2024 12:36:39 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CD5C168D7A6; Mon, 1 Jul 2024 15:36:36 +0300 (EEST) Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03olkn2055.outbound.protection.outlook.com [40.92.59.55]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0E88968D428 for ; Mon, 1 Jul 2024 15:36:31 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WZcg2OuGO43nKWiln3Lv8Sbz5iepWOTT5Ehqb38g11keyA8DfxYMaPdFo7ikQvvv4SO/DO+QNx8KG5EvLL6fszzO8flJk5TOlaICTDE0Tglm+hSLqo4J0GOvw/3EiwXqgjBRvOc6GfjnipdktSGZ93+UsicN66dHK4NtAi+X0DfHYplCubYQZOwQX57CcMTc5+AC/5YzgEkZKRZ/jD5DSSTC7zey2ezZVU6FijXh1mizgejHai2X1SQbaftLMLW0Sj83PCS+fNvSzCRfzB7umqi8w2zO6HH4BrhDfYjL9fsoFnwcWe+avJmcjus8i8rQr2K6BFIYgKDCeRrmfgQ1+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N9ksN0dcpsY8Y0sYwD+rRN78xCeVWHLQ3KZvbqi00tE=; b=OpVj4FvmXocwigbzohEWYIeGJ43H1uatoqapnzCftrSQQTtZ/Q7gEKY7Xf1MZLMEzSR6oxvrNvMyTo+s9NX7q0euEtS2jKIsb8QsKAasUWrxl/nUkx/sypfhoJNk+940lMnvR4U0RnjzuzL1QuhTmtRNC6IB6fK65lsAlgCz/RAFRKUVn1vLTcFNVh63HZTwcGDVahXzq9Fwvr+8dzY1kAlnPnukn99x+bKm4pYOsp+MxzWeYfle7I2TK4B41Kj3RYLnuxCa8AX6saoyWKt8l2/TDoAkFsbX4xw5rZjfGrPnkVCXchYCTWXQdDStPCWPvqJ6LOqrB8aiUO2421VpCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N9ksN0dcpsY8Y0sYwD+rRN78xCeVWHLQ3KZvbqi00tE=; b=ir/MC1ZGL/CDVk27Qq2wRgN2T7PP/dBC0Y4aUnVa9nZQyHv7oUWCWQ0myzUoJDBp813bYiQ9kkYdFoewF80/2vVNqR8KWRqfOVfHh0/QzI++pZLv3xomWM+eVDdIIDWiYdxClI15qT8kN1IB4D2W6Wo8czE2SkqtDmxd492fV9SCTzZ6/sekx6UyWrM8Y4Zgkp+TvhEaZewyYtRkoenD/Dio0052Ek07wvMliSztcXw6yaqXu+/nAKpUUw16TpGypOGixvc7i3mPMXxlEPTHq3ZQM8NNpxCsf8xhNGLpwWGAQi+uVCTBn+npI/+tEe5Auy3l8jbHT7z9+b3y0Qtfaw== Received: from GV1P250MB0737.EURP250.PROD.OUTLOOK.COM (2603:10a6:150:8e::17) by DU2P250MB0143.EURP250.PROD.OUTLOOK.COM (2603:10a6:10:274::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7719.32; Mon, 1 Jul 2024 12:36:28 +0000 Received: from GV1P250MB0737.EURP250.PROD.OUTLOOK.COM ([fe80::d6a1:e3af:a5f1:b614]) by GV1P250MB0737.EURP250.PROD.OUTLOOK.COM ([fe80::d6a1:e3af:a5f1:b614%5]) with mapi id 15.20.7719.029; Mon, 1 Jul 2024 12:36:25 +0000 Message-ID: Date: Mon, 1 Jul 2024 14:36:23 +0200 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20240620170109.348254126EA@natalya.videolan.org> <20240627235006.GF1904408@pb2> Content-Language: en-US From: Andreas Rheinhardt In-Reply-To: <20240627235006.GF1904408@pb2> X-TMN: [lhiFK87jqNxARsNwYsw1Tryg0yLa5oVzZPPz2SRIUZg=] X-ClientProxiedBy: ZR0P278CA0006.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:16::16) To GV1P250MB0737.EURP250.PROD.OUTLOOK.COM (2603:10a6:150:8e::17) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: GV1P250MB0737:EE_|DU2P250MB0143:EE_ X-MS-Office365-Filtering-Correlation-Id: c2003a62-2c4e-4df5-c682-08dc99ca6c11 X-Microsoft-Antispam: BCL:0; ARA:14566002|461199028|8060799006|4302099013|3412199025|440099028|1602099012; X-Microsoft-Antispam-Message-Info: bj+gH0lybcbtRWZ0cvxaYDXK1D8+DvOFaR7zvSH9888bnrGSMZH5Nmm+gyrmlAORKh+uoU7TtNj/RX3XD1wt/YfFbD1OiG1pKmuKaxJEj/dyZO8NaGsmV6Ar+/j0E20refKujrTYJuZbwP0TP62ZD5lBiRbbbWxzrWhw/K6/vXKkSCIelY7m7mivlBWwqulO4HUFUSJiAWVWuLAoJlmnp7c1LazLycF8OM1O+v8EnAQiFUke4OrGjRenFMzMTbE1I7hHcHy/fPhy/Eu8rJdoVIZ0oz3NzJNFapSEcGvmu/rOsEA2B1TYhO8eNKS0V8fPO5r6KuUdqqqxiIgMRl1gaHJQvWwANlYSxu9/bQJim62+CMZF10qnib4ezsAm5rRbslEhrpy+PtlzVHuKDozF1dGKnh5LdKt+p2cx63AdbkRVrQlRgCg1MerMx/J/kuKwls74ULOZQUcnDEP9SRgDAhmCL2y5Lka7ftoZQhNryeGKM2V/FJooC8dW6vsglPPK2rUWlDaTe7akiQwzhA6NE/f7s/eqJFvhG/hCaNmDefZzhTcuAI1EeuAxYcsmswO2hlTDlL+hTfxbSlbtkr/CFTcmY/dJsD81vvhBISq2EItuEkQVm5aeEEsNreQsjv42MxlhMsfH5kz2x6+uF2DHBRp5HAwxnJ3f6X9RzQe7pbxNxyxBglDKP6v9BcpT6Jlbuq5c4mreXaovq//M3wdyK4i0ItpsPc9Rf9nArFLPV1Q= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?d05DUjgrTVVlVUVWNjZPVGVGb1l5K2EyQklRejRTa1dZQ0V5eWNyWWt5eGp2?= =?utf-8?B?Z0R6MVRZMHlGT2RHYnZnVTlsQmtDUlVNbENJd3QrSWZOMEd5S2wwQmhQdlRU?= =?utf-8?B?OFRyZXhEVHRZSkF0K2pHTDJqRzk4VEhJNnY1QitCY2dTeTViRjhqZkMrNHBK?= =?utf-8?B?VFp0VXNCdXl3RExrOWVUaXhpdE5paDBjY3A5OUhXRTZ5U2xCcjdEQnNIVkFi?= =?utf-8?B?NEFFTjhPZ1RCUVN4aFpkWG51eExhblhZbXdVZWRqeGdFWWFoSUFLR1pVc00x?= =?utf-8?B?ampZdHNkUnY2WktpRjg0dzk2ZnRWK2E5VENia0hDd05zWVA0NlkyYWZlZUMw?= =?utf-8?B?dnJKWGZXMkRCQm1KcVVOZy9ndzJ6eVJVc3lnWGM5MDlYNVJqWmttcUhmZy9Z?= =?utf-8?B?aW1JSW93d1NQSUlhOFB5TmUvbzdoTW1VVk9yNTRab2lOSWFPMmdVSUQrZU9a?= =?utf-8?B?dTFxSUphblpQaFIvRnZkckdNRlZGQkdIUXJYRFM4S1V0Z0dRWFFSM2pGV3Bq?= =?utf-8?B?TnJqRDVleWpwVXZMZUorK1hoSnVJTzNzRUIybldFRHY3cXpTR04wMHZaaGlH?= =?utf-8?B?VlZ6TTBWdExCSSszeXloZHlqV0tjSjhrRVNDYXpnU0k4Y2p1QmFjMFBjVmpx?= =?utf-8?B?VTgwK0N0NWsxc3lLbXhtd2p4UWJhQ1dhTGw2VVRveFVnQmZCRHh2ZFc1QUc0?= =?utf-8?B?ZmwyaUFxNDl2Qm05a3RlVlRWRHJEVkE1SC9LRXN1VUJBK0VMczlJSTdJWVlt?= =?utf-8?B?TnBSdUdYYkY0ZTA0SitJcUlseDlWWWpjVzlScVBiVDA2aVgrMTVibXQwd2ZW?= =?utf-8?B?SkU3bmc5RDhoTHV2ZTFuWkwzdjFvQSt6M1RGdGo2MUtZK1k4emxqRFZqTm9C?= =?utf-8?B?N0pTc0poQk50eUE0aG5XTUV3WldIMjVyRGRrY1BRK2xLakY4NzZtRWh6aklL?= =?utf-8?B?UjBwbkE0RDlXWjUrVncrOHJRaDlJTGc3eCtPZnljdXpqbkxVVEZVRUk0T2NP?= =?utf-8?B?OVpvVXh0YkYvQWJaUzc5Q1BHNVpITXVRZFlWKzRMWGFKamt5elFQcFlJRWxH?= =?utf-8?B?QksvSnA5NllZS2NOcWMxbUZieUFoUmlRQTYvSmJGeXlWOFl6M3MrbEpUdVRN?= =?utf-8?B?T21pWlBKRTM4dTVpYnlQWm1TRHZPVzFIVjhVMVZXZW9MVTZLQzhXb21aK1h1?= =?utf-8?B?NVdVdE5iSG0xam1QUXhkZHlEZXh4TlZ5K0prekszMEZqMVMrL0syWUVCdkth?= =?utf-8?B?QmZzejQyZFRRbDd5UWtXYXQvaWNPSXVSNUJQMVBMcThmYWJEQitTNzFjZzFO?= =?utf-8?B?c3VlLzRJRG9DWHdQM0lkdjRPM1VuUUhHZ3dYbUx0dGw1cGFRajgrNFBOazlC?= =?utf-8?B?b1lZcGRFNHZqaUhuWHZuRTVJck9FZ0dWUmgrM3A4RXFKKzdFS0d5Nk5mUjNt?= =?utf-8?B?R1FwS3liazFCNTlGOVNQVVhaR0NOMlc0VUQ0cGdIZTJmUFEvVnpBZ1EzQm1l?= =?utf-8?B?OE92c3ZuYUUrMFh2YndoSElSanJ6cjdYSmJ1Tzc4bWUrMEFEUU5SRjIxVkhk?= =?utf-8?B?bXhNemRzckVqbWFScFpsM29iZjRqNlRKakRlMUpNQ1dEbVdZRy9PaWVpRVZH?= =?utf-8?B?aUg3cVVmVUZZVjlDcXhBMWIvc1YrRjdISUVsdmtKYTF1VlNBMmNZL0ZrdWl2?= =?utf-8?B?NldvUTc5YlJ6bTRlVEM5Mm1rTHh0alh0dE40WWR6Q2hBaE1GU0FsU3ZnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c2003a62-2c4e-4df5-c682-08dc99ca6c11 X-MS-Exchange-CrossTenant-AuthSource: GV1P250MB0737.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jul 2024 12:36:25.7832 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2P250MB0143 Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] avcodec/mpeg_er: Don't set block_index unnecessarily X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > On Thu, Jun 20, 2024 at 05:01:08PM +0000, Andreas Rheinhardt wrote: >> ffmpeg | branch: master | Andreas Rheinhardt | Wed Jun 12 08:37:53 2024 +0200| [65d5ccb808ec93de46a2458ea8cc082ce4460f34] | committer: Andreas Rheinhardt >> >> avcodec/mpeg_er: Don't set block_index unnecessarily >> >> ff_init_block_index() sets MpegEncContext.dest and >> MpegEncContext.block_index. The latter is unused by >> ff_mpv_reconstruct_mb() (which is what this code is >> preparatory for) and dest is overwritten a few lines below. >> So don't initialize block_index at all. >> >> Signed-off-by: Andreas Rheinhardt >> >>> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65d5ccb808ec93de46a2458ea8cc082ce4460f34 >> --- >> >> libavcodec/mpeg_er.c | 4 ---- >> 1 file changed, 4 deletions(-) >> >> diff --git a/libavcodec/mpeg_er.c b/libavcodec/mpeg_er.c >> index e7b3197bb1..fe7dcd7efb 100644 >> --- a/libavcodec/mpeg_er.c >> +++ b/libavcodec/mpeg_er.c >> @@ -76,10 +76,6 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type, >> s->mcsel = 0; >> memcpy(s->mv, mv, sizeof(*mv)); >> >> - ff_init_block_index(s); >> - ff_update_block_index(s, s->avctx->bits_per_raw_sample, >> - s->avctx->lowres, s->chroma_x_shift); >> - >> s->bdsp.clear_blocks(s->block[0]); >> if (!s->chroma_y_shift) >> s->bdsp.clear_blocks(s->block[6]); > > It seems not unnneccesary > > Running: 69814/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4868081575329792 > ================================================================= > ==2146502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000009c80 at pc 0x00000049b63f bp 0x7ffdecbf28c0 sp 0x7ffdecbf2088 > WRITE of size 64 at 0x625000009c80 thread T0 > #0 0x49b63e in __asan_memset /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:26:3 > #1 0xe85598 in ff_clean_intra_table_entries ffmpeg/libavcodec/mpegvideo.c:809:5 > #2 0xe9b926 in mpv_reconstruct_mb_internal ffmpeg/libavcodec/mpv_reconstruct_mb_template.c:68:17 > #3 0xe9b926 in ff_mpv_reconstruct_mb ffmpeg/libavcodec/mpegvideo_dec.c:935 > #4 0xb1f790 in guess_mv ffmpeg/libavcodec/error_resilience.c:456:17 > #5 0xb0f9b5 in ff_er_frame_end ffmpeg/libavcodec/error_resilience.c:1224:9 > #6 0x63e595 in vc1_decode_frame ffmpeg/libavcodec/vc1dec.c:1341:13 > #7 0x4fe53f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20 > #8 0x4fe53f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:600 > #9 0x4fe53f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c:631 > #10 0x4fcf6d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15 > #11 0x4d1da7 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:533:25 > #12 0x166259d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 > #13 0x1657172 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 > #14 0x165c371 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 > #15 0x1656e50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 > #16 0x7fd643b76082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) > #17 0x423f6d in _start (ffmpeg/tools/target_dec_vc1_fuzzer+0x423f6d) > > Address 0x625000009c80 is a wild pointer. > SUMMARY: AddressSanitizer: heap-buffer-overflow /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:26:3 in __asan_memset > Shadow bytes around the buggy address: > 0x0c4a7fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c4a7fff9390:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==2146502==ABORTING > Sorry for this. I knew that VC-1 (and RV34) use ff_mpv_reconstruct_mb() for error resilience, but I thought that everything would be fine given that they initialize block_index. Apparently I was wrong. Anyway, I have sent a patch that should fix this: https://ffmpeg.org/pipermail/ffmpeg-devel/2024-July/330463.html Please confirm that it indeed does fix it. - Andreas PS: This patchset also includes a patch that effectively reverts a patch of yours: https://ffmpeg.org/pipermail/ffmpeg-devel/2024-July/330471.html Can you test that it does not reenable the bug your patch fixed? _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".