From patchwork Tue Aug 20 07:50:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51085 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id lb30csp133435vqb; Tue, 20 Aug 2024 00:51:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVcrRoQInb1pBpfnWZJuitwb0ZcKs1i/akFGTdoRgzZRmrGfY/rn5K4dyik4q0AKxRxgSo4WLQ8+rNweDaYzhDhKn0qishVXyU5dA== X-Google-Smtp-Source: AGHT+IEC9/Sga3wG0qdeR6ezPNMqm0nkIbTAbAarh/F3mrUoiDaDX9DbaxlIG/TRpPrHK6Ork1lB X-Received: by 2002:a05:651c:2105:b0:2f3:f08f:fb5 with SMTP id 38308e7fff4ca-2f3f08f116cmr5422371fa.22.1724140290896; Tue, 20 Aug 2024 00:51:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1724140290; cv=none; d=google.com; s=arc-20160816; b=NwzHHgp2jXi0sPEN/HSjpYZdybH/hUBC/2+etSBrbksWSV8/OxrSksmY+ZbjVR8CcZ rOU4IL9QY1kAbRddww+oRLSpZvU0GKL45WEQcW8edDPq5s7x6IiVx4RsGYEP6Wba2RPp G03LIz8LWo+xxyiI2waAu3MPcneZ5mnQ7VF0GZXKRsBtdDf1wcNWWn+HfxNws+ZMnn1F l5fwRp9Hg4n2Mo++ZcSkKtaRD7/Ckwy/kmtK2V9IsrGX34FW+1tTAiRAPc7KnWO0xOwt 2lOpSjpBg3Z7pmC1udZhDEgcue6cfeIxnYaj+hd6CWM2iXNfAvGaiZltxw7oYJavQbNz tW7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=nbRgY3JN2pACzz4el9E8UvN94TkPvGtRqEO7b2gob8Q=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=dySmocMRe+RxQs46NhNLhlyKDuTH2RyZZLRyOlM5pq14YGWZqVYOvU9hFLtq321RTi LPWepR5uTKzeqRH8jn9au0nBZn0dDK6jTQhKTjg7qUNndF6qno5F1U8WbW2P6JJoFLyx NRLZmdZ5HB/NiQCzMAWiv4BvIzsGn6s0jF8MI9WIUqTVrs1T332Bt65B3/QM+xlusOle C38F6mjZ/cyXpHYpfS0/H6puVXnVh41C1ZX3eaSV7B0btuUr2952fVcToiP6KbDgmd8t qaQz2dNknD0IZpyrZswinseFI0fWHOqr0Y4ZewXatXSFCjgMiw3SAB+XSHwHewRzVO6s 7amA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=gfY4lPW5; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 4fb4d7f45d1cf-5bebc0c3cc8si6594975a12.621.2024.08.20.00.51.30; Tue, 20 Aug 2024 00:51:30 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=gfY4lPW5; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2B1EC68DBF0; Tue, 20 Aug 2024 10:51:10 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 92C9F68DC6D for ; Tue, 20 Aug 2024 10:51:01 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id C4AA66000A for ; Tue, 20 Aug 2024 07:51:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1724140260; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=orAoWir7qV27dBOklqvs/VT/gH4cKYANl5ycLUouf3w=; b=gfY4lPW5RuLqewFOpRO7LFzdypnSisLkouvxbvQHBGu/hZPkm4XnkxxEYpj3PPVo27tV/4 3BmIb0jWULimtnG7+MESb4wiKm+ZwVP4eYX43yR/mjtF8U3eGfb2x2DeD22dfw4q9FldcF k1SbkM9Mk5PE/uZPiWqxEAYz+lcfRBHmLoa/pYTueoclhJVXN8mnexoEwHPQTk9ILhAW/H ACXkc6MzGdnGkjBCLlv/fznAuZWuUirSPoHtnco5+Qlo/Y1hYv9ONb2kiQvFGFq1z0fxOq Ws0sNuv20HPAHrBqT46wAfI8CLTdi+Ui9kqcMLR7jk04NOR63dvS98ipi/S8Sw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Aug 2024 09:50:54 +0200 Message-ID: <20240820075057.1735944-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240820075057.1735944-1-michael@niedermayer.cc> References: <20240820075057.1735944-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/6] avcodec/vc1_block: propagate error codes X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: DRMPzhz1bwW9 Fixes: use of uninitialized value Fixes: 71228/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6188476880453632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 59 ++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 1d622b1a67b..1c422d902fa 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1297,6 +1297,7 @@ static int vc1_decode_p_mb(VC1Context *v) int dst_idx, off; int skipped, fourmv; int block_cbp = 0, pat, block_tt = 0, block_intra = 0; + int ret; mquant = v->pq; /* lossy initialization */ @@ -1355,8 +1356,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1458,8 +1461,10 @@ static int vc1_decode_p_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1530,6 +1535,7 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0, mvbp; int fieldtx; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1602,8 +1608,10 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1735,6 +1743,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) int pred_flag = 0; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode = 0; + int ret; mquant = v->pq; /* Lossy initialization */ @@ -1766,8 +1775,10 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); @@ -1857,6 +1868,7 @@ static int vc1_decode_b_mb(VC1Context *v) int skipped, direct; int dmv_x[2], dmv_y[2]; int bmvtype = BMV_TYPE_BACKWARD; + int ret; mquant = v->pq; /* lossy initialization */ s->mb_intra = 0; @@ -1969,8 +1981,10 @@ static int vc1_decode_b_mb(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2016,6 +2030,7 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) int bmvtype = BMV_TYPE_BACKWARD; int block_cbp = 0, pat, block_tt = 0; int idx_mbmode; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2048,8 +2063,10 @@ static int vc1_decode_b_mb_intfi(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2186,6 +2203,7 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) int stride_y, fieldtx; int bmvtype = BMV_TYPE_BACKWARD; int dir, dir2; + int ret; mquant = v->pq; /* Lossy initialization */ s->mb_intra = 0; @@ -2242,8 +2260,10 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) if (i == 1 || i == 3 || s->mb_x) v->c_avail = v->mb_type[0][s->block_index[i] - 1]; - vc1_decode_intra_block(v, s->block[i], i, val, mquant, - (i & 4) ? v->codingset2 : v->codingset); + ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant, + (i & 4) ? v->codingset2 : v->codingset); + if (ret < 0) + return ret; if (CONFIG_GRAY && i > 3 && (s->avctx->flags & AV_CODEC_FLAG_GRAY)) continue; v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); @@ -2775,6 +2795,7 @@ static void vc1_decode_p_blocks(VC1Context *v) { MpegEncContext *s = &v->s; int apply_loop_filter; + int ret; /* select coding mode used for VLC tables selection */ switch (v->c_ac_table_index) { @@ -2817,22 +2838,22 @@ static void vc1_decode_p_blocks(VC1Context *v) } if (v->fcm == ILACE_FIELD) { - vc1_decode_p_mb_intfi(v); + ret = vc1_decode_p_mb_intfi(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } else if (v->fcm == ILACE_FRAME) { - vc1_decode_p_mb_intfr(v); + ret = vc1_decode_p_mb_intfr(v); if (apply_loop_filter) ff_vc1_p_intfr_loop_filter(v); } else { - vc1_decode_p_mb(v); + ret = vc1_decode_p_mb(v); if (apply_loop_filter) ff_vc1_p_loop_filter(v); } - if (get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { + if (ret < 0 || get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) { // TODO: may need modification to handle slice coding ff_er_add_slice(&s->er, 0, s->start_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR); - av_log(s->avctx, AV_LOG_ERROR, "Bits overconsumption: %i > %i at %ix%i\n", + av_log(s->avctx, AV_LOG_ERROR, "Error or Bits overconsumption: %i > %i at %ix%i\n", get_bits_count(&s->gb), s->gb.size_in_bits, s->mb_x, s->mb_y); return; }