From: Lynne via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: Lynne <dev@lynne.ee>
Subject: Re: [FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder
Date: Sun, 21 Jul 2024 03:16:13 +0200
Message-ID: <e369a95a-c9b5-4559-abfb-cde84c70a0cf@lynne.ee> (raw)
In-Reply-To: <20240719234207.GI4991@pb2>
[-- Attachment #1.1.1.1: Type: text/plain, Size: 9025 bytes --]
On 20/07/2024 01:42, Michael Niedermayer wrote:
> On Thu, May 30, 2024 at 04:37:08AM +0200, Lynne via ffmpeg-devel wrote:
>> This commit adds a decoder for the frequency-domain part of USAC.
>>
>> Changes over version 4:
>> - Actually reset entropy decoding upon configuration.
>> - Support for LFE channels.
>>
>> Lynne (10):
>> channel_layout: add new channel positions supported by xHE-AAC
>> aacdec: move from scalefactor ranged arrays to flat arrays
>> aacdec: expose channel layout related functions
>> aacdec: expose decode_tns
>> aacdec_dsp: implement 768-point transform and windowing
>> aactab: add deemphasis tables for USAC
>> aactab: add tables for the new USAC arithmetic coder
>> aactab: add new scalefactor offset tables for 96/768pt windows
>> aacdec: add a decoder for AAC USAC (xHE-AAC)
>> fate: add tests for xHE-AAC
>>
>> libavcodec/aac/Makefile | 3 +-
>> libavcodec/aac/aacdec.c | 371 +++---
>> libavcodec/aac/aacdec.h | 219 +++-
>> libavcodec/aac/aacdec_ac.c | 208 ++++
>> libavcodec/aac/aacdec_ac.h | 54 +
>> libavcodec/aac/aacdec_dsp_template.c | 162 ++-
>> libavcodec/aac/aacdec_fixed.c | 2 +
>> libavcodec/aac/aacdec_float.c | 4 +
>> libavcodec/aac/aacdec_latm.h | 14 +-
>> libavcodec/aac/aacdec_lpd.c | 198 ++++
>> libavcodec/aac/aacdec_lpd.h | 33 +
>> libavcodec/aac/aacdec_usac.c | 1608 ++++++++++++++++++++++++++
>> libavcodec/aac/aacdec_usac.h | 37 +
>> libavcodec/aactab.c | 560 +++++++++
>> libavcodec/aactab.h | 22 +
>> libavcodec/sinewin_fixed_tablegen.c | 2 +
>> libavcodec/sinewin_fixed_tablegen.h | 4 +
>> libavutil/channel_layout.c | 4 +
>> libavutil/channel_layout.h | 8 +
>> tests/fate/aac.mak | 8 +
>> 20 files changed, 3286 insertions(+), 235 deletions(-)
>> create mode 100644 libavcodec/aac/aacdec_ac.c
>> create mode 100644 libavcodec/aac/aacdec_ac.h
>> create mode 100644 libavcodec/aac/aacdec_lpd.c
>> create mode 100644 libavcodec/aac/aacdec_lpd.h
>> create mode 100644 libavcodec/aac/aacdec_usac.c
>> create mode 100644 libavcodec/aac/aacdec_usac.h
>
> This patchset seems to introduce some issue
> Ill mail you the testcase
>
> Running: 70425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6007809271988224
> =================================================================
> ==87684==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f465944c648 at pc 0x0000004df24c bp 0x7fffbe95eac0 sp 0x7fffbe95eab8
> WRITE of size 8 at 0x7f465944c648 thread T0
> #0 0x4df24b in frame_configure_elements ffmpeg/libavcodec/aac/aacdec.c:201:44
> #1 0x5083d7 in aac_decode_frame_int ffmpeg/libavcodec/aac/aacdec.c:2398:16
> #2 0x4fb930 in aac_decode_frame ffmpeg/libavcodec/aac/aacdec.c:2481:15
> #3 0x68f21f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20
> #4 0x68f21f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:600
> #5 0x68f21f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c:631
> #6 0x68dc4d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15
> #7 0x4d1e65 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:534:25
> #8 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
> #9 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
> #10 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
> #11 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
> #12 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
> #13 0x42402d in _start (ffmpeg/tools/target_dec_aac_fixed_fuzzer+0x42402d)
>
> 0x7f465944c648 is located 40520 bytes inside of 642496-byte region [0x7f4659442800,0x7f46594df5c0)
> freed by thread T0 here:
> #0 0x49bd2d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
> #1 0x4dceb0 in che_configure ffmpeg/libavcodec/aac/aacdec.c:168:9
> #2 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15
> #3 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11
> #4 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20
> #5 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12
> #6 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20
> #7 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12
> #8 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19
> #9 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15
> #10 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
> #11 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
> #12 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
> #13 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
> #14 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
>
> previously allocated by thread T0 here:
> #0 0x49ca47 in posix_memalign /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3
> #1 0x1615548 in av_malloc ffmpeg/libavutil/mem.c:107:9
> #2 0x1615ca7 in av_mallocz ffmpeg/libavutil/mem.c:258:17
> #3 0x60b5af in ff_aac_sbr_ctx_alloc_init_fixed ffmpeg/libavcodec/aacsbr_template.c:74:30
> #4 0x4dcd96 in che_configure ffmpeg/libavcodec/aac/aacdec.c:149:23
> #5 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15
> #6 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11
> #7 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20
> #8 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12
> #9 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20
> #10 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12
> #11 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19
> #12 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15
> #13 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
> #14 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
> #15 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
> #16 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
> #17 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
>
> SUMMARY: AddressSanitizer: heap-use-after-free ffmpeg/libavcodec/aac/aacdec.c:201:44 in frame_configure_elements
> Shadow bytes around the buggy address:
> 0x0fe94b281870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b281880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b281890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b2818a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b2818b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0fe94b2818c0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
> 0x0fe94b2818d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b2818e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b2818f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b281900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0fe94b281910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> Shadow gap: cc
> ==87684==ABORTING
Thanks, looks simple, I'll send a patch
[-- Attachment #1.1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 624 bytes --]
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
prev parent reply other threads:[~2024-07-21 1:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-30 2:37 Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 01/10] channel_layout: add new channel positions supported by xHE-AAC Lynne via ffmpeg-devel
2024-05-31 13:39 ` Jan Ekström
2024-05-31 13:48 ` Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 02/10] aacdec: move from scalefactor ranged arrays to flat arrays Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 03/10] aacdec: expose channel layout related functions Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 04/10] aacdec: expose decode_tns Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 05/10] aacdec_dsp: implement 768-point transform and windowing Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 06/10] aactab: add deemphasis tables for USAC Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 07/10] aactab: add tables for the new USAC arithmetic coder Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 08/10] aactab: add new scalefactor offset tables for 96/768pt windows Lynne via ffmpeg-devel
2024-05-30 2:37 ` [FFmpeg-devel] [PATCH v5 09/10] aacdec: add a decoder for AAC USAC (xHE-AAC) Lynne via ffmpeg-devel
2024-05-30 2:40 ` [FFmpeg-devel] [PATCH v5 10/10] fate: add tests for xHE-AAC Lynne via ffmpeg-devel
2024-06-02 16:47 ` [FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder Lynne via ffmpeg-devel
2024-07-19 23:42 ` Michael Niedermayer
2024-07-21 1:16 ` Lynne via ffmpeg-devel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e369a95a-c9b5-4559-abfb-cde84c70a0cf@lynne.ee \
--to=ffmpeg-devel@ffmpeg.org \
--cc=dev@lynne.ee \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git