From patchwork Sun Sep  5 11:02:56 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Niklas Haas <ffmpeg@haasn.xyz>
X-Patchwork-Id: 30003
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6602:2a4a:0:0:0:0 with SMTP id k10csp2855953iov;
        Sun, 5 Sep 2021 04:03:27 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyetX0xoJWDFTtWfC5+9wj9eZYkHVc52Kmm73If1TAmZepI+oRjU7Kw3pk2ZxRNB2xjKRoE
X-Received: by 2002:a17:906:1c41:: with SMTP id
 l1mr8469535ejg.13.1630839807261;
        Sun, 05 Sep 2021 04:03:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1630839807; cv=none;
        d=google.com; s=arc-20160816;
        b=d1+4dNVB+kInou4CBmJ/fgDjftC1O3ZzRefk0g7Z3WzMbpGWP+L9MkciZJmnJPQFxl
         cVoXs4i6R27T1fBm9wFUXy0q82/77V3l6fkHQOxaENFBKrRL8FKrdM4e9H08wOYTWTe4
         y0ViYhHPRBXpSEey1HsV/VR+aVs+elGE9AqIRYpiqTPpskFz/1aCgohUmraYV5t7OExu
         RoQV8yVzVmmaUe/ilwPJTjeBWJPqTaG17nvubwcWD/EwLa5ZEkFQGAuaqUHyZJ1GbgDF
         n6TnWzVtUabOaCxXPmusoNcBqWaHRBT9AhmN8VpTlVL2LL2X/bcggqIahY9OeylKZeeV
         xnmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:message-id:date:to:from
         :dkim-signature:delivered-to;
        bh=OlxNIaMFQ9QT01i8XKwGzVLn81MXwbPgHiuMeQsuFMw=;
        b=gb+j5+pK/zRG4rCVauARZ813okQas3hPD1MA6B0mfubCT14tFRkLVg35ogmuD6QQIM
         QB10TSbGKosRU9Rtbj5k9n1xZWOGPO8pC15Hi4PW0Cev0E3ZEHHBSwSVHxkwesQcSkrA
         Lc8lSG27zOnzMQtddnH6LltSCk7Ul9tdb0FDhtTMabfUv+yxnkb6OFHCXFKz+78QKBjo
         5boxjpBhsmzalY688N+fNge0idZ92ncQDCu2yTBrXGLQDpdbc0K9svTi1OkLB05LlDoy
         U3ENGQ/+mLsbc8Jzu1T2q13Y6qXmqqD8oLGg6IrGN4Dl11BkHQ90SDpiO4HEZKs84UgJ
         l6oQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@haasn.xyz
 header.s=mail header.b=eRPh6zsH;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 nd21si4853812ejc.580.2021.09.05.04.03.25;
        Sun, 05 Sep 2021 04:03:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@haasn.xyz
 header.s=mail header.b=eRPh6zsH;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B4E0A68A4C5;
	Sun,  5 Sep 2021 14:03:09 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from haasn.dev (haasn.dev [78.46.187.166])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E28AC68016E
 for <ffmpeg-devel@ffmpeg.org>; Sun,  5 Sep 2021 14:03:01 +0300 (EEST)
Received: from haasn.dev (unknown [10.30.0.2])
 by haasn.dev (Postfix) with ESMTP id DBCD547784;
 Sun,  5 Sep 2021 13:03:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=haasn.xyz; s=mail;
 t=1630839780; bh=uQQjIZ1jo+yfN985jwFb6DcnPhPPlnVO/GbounZBUlU=;
 h=From:To:Cc:Subject:Date:From;
 b=eRPh6zsHoi20IeOCjI9GxMu++8qHDcI37LeOQl/Ze8EcyWdXulS8wXB+qGUL2vy7y
 Q8V3bmvnN6Y7XtG+DyGYUlh9ii2YF+Bk8oIYI/sDAgejVncHlensFBnKCJrbbaMK0W
 iKjWAuQayv6OByA5OfpbKxmsK6ovEkallPtrPOSo=
From: Niklas Haas <ffmpeg@haasn.xyz>
To: ffmpeg-devel@ffmpeg.org
Date: Sun,  5 Sep 2021 13:02:56 +0200
Message-Id: <20210905110257.58834-1-ffmpeg@haasn.xyz>
X-Mailer: git-send-email 2.33.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/h274: don't read from
 uninitialized array members
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Niklas Haas <git@haasn.dev>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: xm016XxWIDHB

From: Niklas Haas <git@haasn.dev>

This bug flew under the radar because, in practice, these values are
0-initialized for the first invocation. But for subsequent invocations
(with different h/v values), reading from the uninitialized parts of
`out` is undefined behavior.

Avoid this by simply adjusting the iteration range of the next loop. Has
the added benefit of being a minor speedup.
---
 libavcodec/h274.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h274.c b/libavcodec/h274.c
index 5e2cf150ea..a59d09b66e 100644
--- a/libavcodec/h274.c
+++ b/libavcodec/h274.c
@@ -74,12 +74,14 @@ static void init_slice_c(int8_t out[64][64], uint8_t h, uint8_t v,
 
     // 64x64 inverse integer transform
     for (int y = 0; y < 64; y++) {
-        for (int x = 0; x < 64; x++) {
+        for (int x = 0; x <= freq_h; x++) {
             int32_t sum = 0;
-            for (int p = 0; p < 64; p++)
+            for (int p = 0; p <= freq_v; p++)
                 sum += R64T[y][p] * out[x][p];
             tmp[y][x] = (sum + 128) >> 8;
         }
+        for (int x = freq_h+1; x < 64; x++)
+            tmp[y][x] = 0;
     }
 
     for (int y = 0; y < 64; y++) {