From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id C7523498A7 for ; Sun, 21 Apr 2024 16:34:52 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A43A368D109; Sun, 21 Apr 2024 19:34:49 +0300 (EEST) Received: from sender-op-o17.zoho.eu (sender-op-o17.zoho.eu [136.143.169.17]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4C7F468C2B1 for ; Sun, 21 Apr 2024 19:34:43 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; t=1713717281; cv=none; d=zohomail.eu; s=zohoarc; b=TpljPAov2v0oQ6uTlXLOnFJOpQRJFzrgW52rv6iYmuW+qdwn7hrWJSh179X6hQpAHibiJ+Y3piUrq2SplGw+jRKbgqvqxAozwr4uARBxz6nXPL682+MHJR/wCCDWvjsinNDZVS2t+BC1o1ODmoz1Pqjcwgl9p+PCPeMQKsyB0ZI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1713717281; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=lV7MzpJtfAF4nYRGhCLbv/k5R7ojnmd7pzFav2T1w0k=; b=dGo5msGYlW/slm06lcTiHrhp/D3OFVt3vqkAZcJETeYUyHcteq6/83MruJjt4T6zuVJHqEpl38zv1kEE4y/0JPLVO2E5XhqIVjX3CwXs6bWv/njB0VKE8Af3I1Dnde9PyTC08ZFBot9yshDuKd14iJ+UJtC+fRLgCxG5lW0je7A= ARC-Authentication-Results: i=1; mx.zohomail.eu; dkim=pass header.i=frankplowman.com; spf=pass smtp.mailfrom=post@frankplowman.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1713717281; s=zmail; d=frankplowman.com; i=post@frankplowman.com; h=Message-ID:Date:Date:MIME-Version:Subject:Subject:To:To:References:From:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To:Cc; bh=lV7MzpJtfAF4nYRGhCLbv/k5R7ojnmd7pzFav2T1w0k=; b=NTCndlQRkuq3AItU3Y1OD9DqAbIl9I+WVehCMNQsXBKGV5ps1ehXAiSWx7hJJXMw 4QR6CVhya/hox2nQUUkaFFX6JRBvTH+aVEfOxQruLU03ot982tqSThMlHeH2It7cuuI hHNs5mxxA4O4DG5zsq+J9FrkgwsClva5ll3oePxM= Received: from [10.0.0.6] (frankplowman.com [51.89.148.29]) by mx.zoho.eu with SMTPS id 1713717279596349.78762173580924; Sun, 21 Apr 2024 18:34:39 +0200 (CEST) Message-ID: Date: Sun, 21 Apr 2024 17:34:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: Content-Language: en-GB From: Frank Plowman In-Reply-To: X-ZohoMailClient: External Subject: Re: [FFmpeg-devel] [PATCH] avcodec/vvcdec: ff_vvc_frame_submit, avoid initializing task twice. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 21/04/2024 15:52, Nuo Mi wrote: > For some error bitstreams, a CTU belongs to two slices/entry points. > If the decoder initializes and submmits the CTU task twice, it may crash the program > or cause it to enter an infinite loop. > > Reported-by: Frank Plowman > --- > libavcodec/vvc/dec.c | 7 +++++-- > libavcodec/vvc/thread.c | 43 ++++++++++++++++++++++++++++------------- > libavcodec/vvc/thread.h | 2 +- > 3 files changed, 36 insertions(+), 16 deletions(-) > > diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c > index 6aeec27eaf..4f7d184e43 100644 > --- a/libavcodec/vvc/dec.c > +++ b/libavcodec/vvc/dec.c > @@ -893,10 +893,13 @@ static int wait_delayed_frame(VVCContext *s, AVFrame *output, int *got_output) > > static int submit_frame(VVCContext *s, VVCFrameContext *fc, AVFrame *output, int *got_output) > { > - int ret; > + int ret = ff_vvc_frame_submit(s, fc); > + if (ret < 0) > + return ret; > + > s->nb_frames++; > s->nb_delayed++; > - ff_vvc_frame_submit(s, fc); > + > if (s->nb_delayed >= s->nb_fcs) { > if ((ret = wait_delayed_frame(s, output, got_output)) < 0) > return ret; > diff --git a/libavcodec/vvc/thread.c b/libavcodec/vvc/thread.c > index 01c3ff75b1..3b27811db2 100644 > --- a/libavcodec/vvc/thread.c > +++ b/libavcodec/vvc/thread.c > @@ -124,11 +124,17 @@ static void task_init(VVCTask *t, VVCTaskStage stage, VVCFrameContext *fc, const > atomic_store(&t->target_inter_score, 0); > } > > -static void task_init_parse(VVCTask *t, SliceContext *sc, EntryPoint *ep, const int ctu_idx) > +static int task_init_parse(VVCTask *t, SliceContext *sc, EntryPoint *ep, const int ctu_idx) > { > + if (t->sc) { > + // the task already inited, error bitstream > + return AVERROR_INVALIDDATA; > + } > t->sc = sc; > t->ep = ep; > t->ctu_idx = ctu_idx; > + > + return 0; > } > > static uint8_t task_add_score(VVCTask *t, const VVCTaskStage stage) > @@ -758,24 +764,35 @@ static void submit_entry_point(VVCContext *s, VVCFrameThread *ft, SliceContext * > frame_thread_add_score(s, ft, t->rx, t->ry, VVC_TASK_STAGE_PARSE); > } > > -void ff_vvc_frame_submit(VVCContext *s, VVCFrameContext *fc) > +int ff_vvc_frame_submit(VVCContext *s, VVCFrameContext *fc) > { > VVCFrameThread *ft = fc->ft; > > - for (int i = 0; i < fc->nb_slices; i++) { > - SliceContext *sc = fc->slices[i]; > - for (int j = 0; j < sc->nb_eps; j++) { > - EntryPoint *ep = sc->eps + j; > - for (int k = ep->ctu_start; k < ep->ctu_end; k++) { > - const int rs = sc->sh.ctb_addr_in_curr_slice[k]; > - VVCTask *t = ft->tasks + rs; > - > - task_init_parse(t, sc, ep, k); > - check_colocation(s, t); > + // We'll handle this in two passes: > + // Pass 0 to initialize tasks with parser, this will help detect bit stream error > + // Pass 1 to shedule location check and submit the entry point > + for (int pass = 0; pass < 2; pass++) { > + for (int i = 0; i < fc->nb_slices; i++) { > + SliceContext *sc = fc->slices[i]; > + for (int j = 0; j < sc->nb_eps; j++) { > + EntryPoint *ep = sc->eps + j; > + for (int k = ep->ctu_start; k < ep->ctu_end; k++) { > + const int rs = sc->sh.ctb_addr_in_curr_slice[k]; > + VVCTask *t = ft->tasks + rs; > + if (pass) { > + check_colocation(s, t); > + } else { > + const int ret = task_init_parse(t, sc, ep, k); > + if (ret < 0) > + return ret; > + } > + } > + if (pass) > + submit_entry_point(s, ft, sc, ep); > } > - submit_entry_point(s, ft, sc, ep); > } > } > + return 0; > } > > int ff_vvc_frame_wait(VVCContext *s, VVCFrameContext *fc) > diff --git a/libavcodec/vvc/thread.h b/libavcodec/vvc/thread.h > index 55bb4ea244..8ac59b2ecf 100644 > --- a/libavcodec/vvc/thread.h > +++ b/libavcodec/vvc/thread.h > @@ -30,7 +30,7 @@ void ff_vvc_executor_free(struct AVExecutor **e); > > int ff_vvc_frame_thread_init(VVCFrameContext *fc); > void ff_vvc_frame_thread_free(VVCFrameContext *fc); > -void ff_vvc_frame_submit(VVCContext *s, VVCFrameContext *fc); > +int ff_vvc_frame_submit(VVCContext *s, VVCFrameContext *fc); > int ff_vvc_frame_wait(VVCContext *s, VVCFrameContext *fc); > > #endif // AVCODEC_VVC_THREAD_H This patch fixes most of the fuzz bitstreams I have which enter infinite loops, but also introduces a regression, turning some other bitstreams which were okay before into infinite loops. -- Frank _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".