[FFmpeg-devel] [PATCH 1/3] avcodec/indeo3: Fix UB pointer arithmetic

[FFmpeg-devel] [PATCH 1/3] avcodec/indeo3: Fix UB pointer arithmetic

[Andreas Rheinhardt]

[-- Attachment #1: Type: text/plain, Size: 29 bytes --]

Patches attached.

- Andreas

[-- Attachment #2: 0001-avcodec-indeo3-Fix-UB-pointer-arithmetic.patch --]
[-- Type: text/x-patch, Size: 1462 bytes --]

From b0c865afeb02e5bce6cb43e5c3ec660e2833d25c Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Sun, 22 Jun 2025 22:36:00 +0200
Subject: [PATCH 1/3] avcodec/indeo3: Fix UB pointer arithmetic

Fixes the following error when running with Clang-UBSan:
src/libavcodec/indeo3.c:556:26: runtime error: applying non-zero offset 2560 to null pointer
This fixes the indeo3-2 FATE test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/indeo3.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index fbabd4b6ad..59d7f12bf4 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -691,9 +691,11 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
             }
 
             zoom_fac = mode == 10;
-            error = decode_cell_data(ctx, cell, block, ref_block, plane->pitch,
-                                     zoom_fac, 1, mode, delta, swap_quads,
-                                     &data_ptr, last_ptr);
+            av_assert2(!ref_block);
+            error = decode_cell_data(ctx, cell, block,
+                                     block /* dummy to avoid UB pointer arithmetic */,
+                                     plane->pitch, zoom_fac, 1, mode, delta,
+                                     swap_quads, &data_ptr, last_ptr);
         }
         break;
     default:
-- 
2.45.2


[-- Attachment #3: 0002-avcodec-indeo3-Consistently-use-ptrdiff_t-for-stride.patch --]
[-- Type: text/x-patch, Size: 1542 bytes --]

From bb65ad38b503ca0bb9e3a4bfe083623b78fac2e1 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Sun, 22 Jun 2025 22:39:35 +0200
Subject: [PATCH 2/3] avcodec/indeo3: Consistently use ptrdiff_t for strides

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/indeo3.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 59d7f12bf4..0e3b2b2a23 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -324,7 +324,7 @@ static inline uint32_t replicate32(uint32_t a) {
 
 /* Fill n lines with 64-bit pixel value pix */
 static inline void fill_64(uint8_t *dst, const uint64_t pix, int32_t n,
-                           int32_t row_offset)
+                           ptrdiff_t row_offset)
 {
     for (; n > 0; dst += row_offset, n--)
         AV_WN64A(dst, pix);
@@ -441,10 +441,9 @@ static int decode_cell_data(Indeo3DecodeContext *ctx, Cell *cell,
     unsigned int  dyad1, dyad2;
     uint64_t      pix64;
     int           skip_flag = 0, is_top_of_cell, is_first_row = 1;
-    int           blk_row_offset, line_offset;
 
-    blk_row_offset = (row_offset << (2 + v_zoom)) - (cell->width << 2);
-    line_offset    = v_zoom ? row_offset : 0;
+    const ptrdiff_t blk_row_offset = (row_offset << (2 + v_zoom)) - (cell->width << 2);
+    const ptrdiff_t line_offset    = v_zoom ? row_offset : 0;
 
     if (cell->height & v_zoom || cell->width & h_zoom)
         return IV3_BAD_DATA;
-- 
2.45.2


[-- Attachment #4: 0003-avcodec-indeo3-Constify-ref_block-in-decode_cell_dat.patch --]
[-- Type: text/x-patch, Size: 2194 bytes --]

From dcd42556165c9c071445da9c971d45844c5d1d7f Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Sun, 22 Jun 2025 22:45:08 +0200
Subject: [PATCH 3/3] avcodec/indeo3: Constify ref_block in decode_cell_data()

Also use smaller scope while just at it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/indeo3.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 0e3b2b2a23..ae6fd7290e 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -429,14 +429,13 @@ if (*data_ptr >= last_ptr) \
 
 
 static int decode_cell_data(Indeo3DecodeContext *ctx, Cell *cell,
-                            uint8_t *block, uint8_t *ref_block,
+                            uint8_t *block, const uint8_t *ref_block,
                             ptrdiff_t row_offset, int h_zoom, int v_zoom, int mode,
                             const vqEntry *delta[2], int swap_quads[2],
                             const uint8_t **data_ptr, const uint8_t *last_ptr)
 {
     int           x, y, line, num_lines;
     int           rle_blocks = 0;
-    uint8_t       code, *dst, *ref;
     const vqEntry *delta_tab;
     unsigned int  dyad1, dyad2;
     uint64_t      pix64;
@@ -450,8 +449,8 @@ static int decode_cell_data(Indeo3DecodeContext *ctx, Cell *cell,
 
     for (y = 0; y < cell->height; is_first_row = 0, y += 1 + v_zoom) {
         for (x = 0; x < cell->width; x += 1 + h_zoom) {
-            ref = ref_block;
-            dst = block;
+            const uint8_t *ref = ref_block;
+            uint8_t *dst = block;
 
             if (rle_blocks > 0) {
                 if (mode <= 4) {
@@ -471,7 +470,7 @@ static int decode_cell_data(Indeo3DecodeContext *ctx, Cell *cell,
                     else
                         delta_tab = delta[1];
                     BUFFER_PRECHECK;
-                    code = bytestream_get_byte(data_ptr);
+                    uint8_t code = bytestream_get_byte(data_ptr);
                     if (code < 248) {
                         if (code < delta_tab->num_dyads) {
                             BUFFER_PRECHECK;
-- 
2.45.2


[-- Attachment #5: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".