From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id CA11B4AD3D for ; Sun, 21 Jul 2024 01:16:24 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2D40F68D73E; Sun, 21 Jul 2024 04:16:21 +0300 (EEST) Received: from vidala.lynne.ee (vidala.pars.ee [116.203.72.101]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CF3E368D6F9 for ; Sun, 21 Jul 2024 04:16:14 +0300 (EEST) Message-ID: Date: Sun, 21 Jul 2024 03:16:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20240530023927.1205442-1-dev@lynne.ee> <20240719234207.GI4991@pb2> Content-Language: en-US Autocrypt: addr=dev@lynne.ee; keydata= xjMEXnFG3BYJKwYBBAHaRw8BAQdA3FyJpqEdfQj4GA7OUWVrNheT9dUsIs+yUx6Hljr9mYvN FEx5bm5lIDxkZXZAbHlubmUuZWU+wpAEExYIADgWIQT+UBOcaAVyyv1SH42i/qXwPwNEZAUC XnFG3AIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCi/qXwPwNEZOTWAQCSNEA+kZLI NZ2dsR5Qg988c0HXpOXThZEjg+h1TL7KGgEA3Gff0c28efI02S6iMxazrpdWGHqHk7JN7pCj nt397wzOOARecUbcEgorBgEEAZdVAQUBAQdAjDdFQ5H+AJ9vwXrOb7val460g45EsheIaL5S 7/zSaX8DAQgHwngEGBYIACAWIQT+UBOcaAVyyv1SH42i/qXwPwNEZAUCXnFG3AIbDAAKCRCi /qXwPwNEZKaxAQCHLV4gAk/B9JvRG27MYm22X3+5QRCLBtEILP29aDh+MQD/V8JFHATDXRY3 0LsmqR3sPQ0BJ1UFVZA5BUoIJPJZWwg= In-Reply-To: <20240719234207.GI4991@pb2> Subject: Re: [FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Lynne via ffmpeg-devel Reply-To: FFmpeg development discussions and patches Cc: Lynne Content-Type: multipart/mixed; boundary="===============8112081290433857815==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============8112081290433857815== Content-Language: en-US Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------0gwlOqCqpF00nbwo30t6cqwt" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------0gwlOqCqpF00nbwo30t6cqwt Content-Type: multipart/mixed; boundary="------------MjUeupXlT7QUS3qCQRZcfz0X"; protected-headers="v1" From: Lynne To: ffmpeg-devel@ffmpeg.org Message-ID: Subject: Re: [FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder References: <20240530023927.1205442-1-dev@lynne.ee> <20240719234207.GI4991@pb2> In-Reply-To: <20240719234207.GI4991@pb2> --------------MjUeupXlT7QUS3qCQRZcfz0X Content-Type: multipart/mixed; boundary="------------jswXQ67004A2kyIced6OrOcf" --------------jswXQ67004A2kyIced6OrOcf Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 20/07/2024 01:42, Michael Niedermayer wrote: > On Thu, May 30, 2024 at 04:37:08AM +0200, Lynne via ffmpeg-devel wrote: >> This commit adds a decoder for the frequency-domain part of USAC. >> >> Changes over version 4: >> - Actually reset entropy decoding upon configuration. >> - Support for LFE channels. >> >> Lynne (10): >> channel_layout: add new channel positions supported by xHE-AAC >> aacdec: move from scalefactor ranged arrays to flat arrays >> aacdec: expose channel layout related functions >> aacdec: expose decode_tns >> aacdec_dsp: implement 768-point transform and windowing >> aactab: add deemphasis tables for USAC >> aactab: add tables for the new USAC arithmetic coder >> aactab: add new scalefactor offset tables for 96/768pt windows >> aacdec: add a decoder for AAC USAC (xHE-AAC) >> fate: add tests for xHE-AAC >> >> libavcodec/aac/Makefile | 3 +- >> libavcodec/aac/aacdec.c | 371 +++--- >> libavcodec/aac/aacdec.h | 219 +++- >> libavcodec/aac/aacdec_ac.c | 208 ++++ >> libavcodec/aac/aacdec_ac.h | 54 + >> libavcodec/aac/aacdec_dsp_template.c | 162 ++- >> libavcodec/aac/aacdec_fixed.c | 2 + >> libavcodec/aac/aacdec_float.c | 4 + >> libavcodec/aac/aacdec_latm.h | 14 +- >> libavcodec/aac/aacdec_lpd.c | 198 ++++ >> libavcodec/aac/aacdec_lpd.h | 33 + >> libavcodec/aac/aacdec_usac.c | 1608 ++++++++++++++++++++++++++ >> libavcodec/aac/aacdec_usac.h | 37 + >> libavcodec/aactab.c | 560 +++++++++ >> libavcodec/aactab.h | 22 + >> libavcodec/sinewin_fixed_tablegen.c | 2 + >> libavcodec/sinewin_fixed_tablegen.h | 4 + >> libavutil/channel_layout.c | 4 + >> libavutil/channel_layout.h | 8 + >> tests/fate/aac.mak | 8 + >> 20 files changed, 3286 insertions(+), 235 deletions(-) >> create mode 100644 libavcodec/aac/aacdec_ac.c >> create mode 100644 libavcodec/aac/aacdec_ac.h >> create mode 100644 libavcodec/aac/aacdec_lpd.c >> create mode 100644 libavcodec/aac/aacdec_lpd.h >> create mode 100644 libavcodec/aac/aacdec_usac.c >> create mode 100644 libavcodec/aac/aacdec_usac.h > > This patchset seems to introduce some issue > Ill mail you the testcase > > Running: 70425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6007809271988224 > ================================================================= > ==87684==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f465944c648 at pc 0x0000004df24c bp 0x7fffbe95eac0 sp 0x7fffbe95eab8 > WRITE of size 8 at 0x7f465944c648 thread T0 > #0 0x4df24b in frame_configure_elements ffmpeg/libavcodec/aac/aacdec.c:201:44 > #1 0x5083d7 in aac_decode_frame_int ffmpeg/libavcodec/aac/aacdec.c:2398:16 > #2 0x4fb930 in aac_decode_frame ffmpeg/libavcodec/aac/aacdec.c:2481:15 > #3 0x68f21f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20 > #4 0x68f21f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:600 > #5 0x68f21f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c:631 > #6 0x68dc4d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15 > #7 0x4d1e65 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:534:25 > #8 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 > #9 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 > #10 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 > #11 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 > #12 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) > #13 0x42402d in _start (ffmpeg/tools/target_dec_aac_fixed_fuzzer+0x42402d) > > 0x7f465944c648 is located 40520 bytes inside of 642496-byte region [0x7f4659442800,0x7f46594df5c0) > freed by thread T0 here: > #0 0x49bd2d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3 > #1 0x4dceb0 in che_configure ffmpeg/libavcodec/aac/aacdec.c:168:9 > #2 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15 > #3 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11 > #4 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20 > #5 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12 > #6 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20 > #7 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12 > #8 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19 > #9 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15 > #10 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 > #11 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 > #12 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 > #13 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 > #14 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) > > previously allocated by thread T0 here: > #0 0x49ca47 in posix_memalign /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3 > #1 0x1615548 in av_malloc ffmpeg/libavutil/mem.c:107:9 > #2 0x1615ca7 in av_mallocz ffmpeg/libavutil/mem.c:258:17 > #3 0x60b5af in ff_aac_sbr_ctx_alloc_init_fixed ffmpeg/libavcodec/aacsbr_template.c:74:30 > #4 0x4dcd96 in che_configure ffmpeg/libavcodec/aac/aacdec.c:149:23 > #5 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15 > #6 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11 > #7 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20 > #8 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12 > #9 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20 > #10 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12 > #11 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19 > #12 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15 > #13 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 > #14 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 > #15 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 > #16 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10 > #17 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) > > SUMMARY: AddressSanitizer: heap-use-after-free ffmpeg/libavcodec/aac/aacdec.c:201:44 in frame_configure_elements > Shadow bytes around the buggy address: > 0x0fe94b281870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b281880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b281890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b2818a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b2818b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > =>0x0fe94b2818c0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd > 0x0fe94b2818d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b2818e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b2818f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b281900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0fe94b281910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==87684==ABORTING Thanks, looks simple, I'll send a patch --------------jswXQ67004A2kyIced6OrOcf Content-Type: application/pgp-keys; name="OpenPGP_0xA2FEA5F03F034464.asc" Content-Disposition: attachment; filename="OpenPGP_0xA2FEA5F03F034464.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: 7bit -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEXnFG3BYJKwYBBAHaRw8BAQdA3FyJpqEdfQj4GA7OUWVrNheT9dUsIs+yUx6H ljr9mYvNFEx5bm5lIDxkZXZAbHlubmUuZWU+wpAEExYIADgWIQT+UBOcaAVyyv1S H42i/qXwPwNEZAUCXnFG3AIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCi /qXwPwNEZOTWAQCSNEA+kZLINZ2dsR5Qg988c0HXpOXThZEjg+h1TL7KGgEA3Gff 0c28efI02S6iMxazrpdWGHqHk7JN7pCjnt397wzOOARecUbcEgorBgEEAZdVAQUB AQdAjDdFQ5H+AJ9vwXrOb7val460g45EsheIaL5S7/zSaX8DAQgHwngEGBYIACAW IQT+UBOcaAVyyv1SH42i/qXwPwNEZAUCXnFG3AIbDAAKCRCi/qXwPwNEZKaxAQCH LV4gAk/B9JvRG27MYm22X3+5QRCLBtEILP29aDh+MQD/V8JFHATDXRY30LsmqR3s PQ0BJ1UFVZA5BUoIJPJZWwg= =ylY5 -----END PGP PUBLIC KEY BLOCK----- --------------jswXQ67004A2kyIced6OrOcf-- --------------MjUeupXlT7QUS3qCQRZcfz0X-- --------------0gwlOqCqpF00nbwo30t6cqwt Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQT+UBOcaAVyyv1SH42i/qXwPwNEZAUCZpxhXQUDAAAAAAAKCRCi/qXwPwNEZFrL AQCuJp2QNlidsRJqWWjRGknQj5t+CjBHWGObLNeksx4d4AEA3QrWpw9som/rYZ1LWCkSGex+4uP3 bbvsXxxXyg3OXwI= =xeDw -----END PGP SIGNATURE----- --------------0gwlOqCqpF00nbwo30t6cqwt-- --===============8112081290433857815== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============8112081290433857815==--