[FFmpeg-devel,1/5] avcodec/vp8: do vp7_fade_frame() later

Submitted by Michael Niedermayer on Aug. 2, 2019, 5:19 p.m.

Details

Message ID 20190802171911.GN3219@michaelspb
State New
Headers show

Commit Message

Michael Niedermayer Aug. 2, 2019, 5:19 p.m.
On Fri, Aug 02, 2019 at 10:46:04PM +1000, Peter Ross wrote:
> On Thu, Aug 01, 2019 at 11:44:39PM +0200, Michael Niedermayer wrote:
> > Fixes: Timeout (100sec -> 5sec)
> > Fixes: 15073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5649257362620416
> > 
> > Untested as none of the vp7 samples i found executes this codepath
> 
> see attached. its all i can find :(

iam not sure iam making a mistake but these 2 files dont seem to execute
it

Tested with: AB is always 0 0 abort() is not reached
./ffmpeg -i vp7digimona_frame32.avi -f null -



             
             
[...]

Comments

Peter Ross Aug. 3, 2019, 1:44 a.m.
On Fri, Aug 02, 2019 at 07:19:11PM +0200, Michael Niedermayer wrote:
> On Fri, Aug 02, 2019 at 10:46:04PM +1000, Peter Ross wrote:
> > On Thu, Aug 01, 2019 at 11:44:39PM +0200, Michael Niedermayer wrote:
> > > Fixes: Timeout (100sec -> 5sec)
> > > Fixes: 15073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5649257362620416
> > > 
> > > Untested as none of the vp7 samples i found executes this codepath
> > 
> > see attached. its all i can find :(
> 
> iam not sure iam making a mistake but these 2 files dont seem to execute
> it

you are right michael. the samples attached have alpha/beta fade bits, but
they are both set to zero, therefore fade() is never called.

i dug up my old vp7-dev branch, and found alpha/beta were forced to specifically
test the fade path with those samples. e.g.:

      int alpha = (int8_t) vp8_rac_get_uint(c, 8) + 1;
      int beta  = (int8_t) vp8_rac_get_uint(c, 8) + 1;

all my other vp7 samples stop before the alpha/beta frame bits.


also, this sample has alpha/beta set to non-zero, but was generated through
fuzzing and produces no video.
https://trac.ffmpeg.org/attachment/ticket/3501/vp7_1_f.avi

cheers,

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
Michael Niedermayer Aug. 3, 2019, 11:30 a.m.
On Sat, Aug 03, 2019 at 11:44:06AM +1000, Peter Ross wrote:
> On Fri, Aug 02, 2019 at 07:19:11PM +0200, Michael Niedermayer wrote:
> > On Fri, Aug 02, 2019 at 10:46:04PM +1000, Peter Ross wrote:
> > > On Thu, Aug 01, 2019 at 11:44:39PM +0200, Michael Niedermayer wrote:
> > > > Fixes: Timeout (100sec -> 5sec)
> > > > Fixes: 15073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5649257362620416
> > > > 
> > > > Untested as none of the vp7 samples i found executes this codepath
> > > 
> > > see attached. its all i can find :(
> > 
> > iam not sure iam making a mistake but these 2 files dont seem to execute
> > it
> 
> you are right michael. the samples attached have alpha/beta fade bits, but
> they are both set to zero, therefore fade() is never called.
> 
> i dug up my old vp7-dev branch, and found alpha/beta were forced to specifically
> test the fade path with those samples. e.g.:
> 
>       int alpha = (int8_t) vp8_rac_get_uint(c, 8) + 1;
>       int beta  = (int8_t) vp8_rac_get_uint(c, 8) + 1;
> 
> all my other vp7 samples stop before the alpha/beta frame bits.

ok, tested with same "+1"

ill push my change as that seems the most that can be reasonable be done.

maybe we should ask for a sample if this codepath executes ?


> 
> 
> also, this sample has alpha/beta set to non-zero, but was generated through
> fuzzing and produces no video.
> https://trac.ffmpeg.org/attachment/ticket/3501/vp7_1_f.avi
> 
> cheers,
> 
> -- Peter
> (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

Thanks!

[...]

Patch hide | download patch | download mbox

--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -506,7 +506,7 @@  static int vp7_fade_frame(VP8Context *s, VP56RangeCoder *c)
     int alpha = (int8_t) vp8_rac_get_uint(c, 8);
     int beta  = (int8_t) vp8_rac_get_uint(c, 8);
     int ret;
-
+av_log(0,0, "AB %d %d\n", alpha, beta);
     if (c->end <= c->buffer && c->bits >= 0)
         return AVERROR_INVALIDDATA;
 
@@ -514,7 +514,7 @@  static int vp7_fade_frame(VP8Context *s, VP56RangeCoder *c)
         int width  = s->mb_width * 16;
         int height = s->mb_height * 16;
         AVFrame *src, *dst;
-
+abort();
         if (!s->framep[VP56_FRAME_PREVIOUS] ||
             !s->framep[VP56_FRAME_GOLDEN]) {
             av_log(s->avctx, AV_LOG_WARNING, "Discarding interframe without a prior keyframe!\n");