From patchwork Fri Nov 25 01:26:24 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1556 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp77093vsb; Thu, 24 Nov 2016 17:26:35 -0800 (PST) X-Received: by 10.194.60.195 with SMTP id j3mr4915420wjr.149.1480037195660; Thu, 24 Nov 2016 17:26:35 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id dg10si39706405wjc.293.2016.11.24.17.26.34; Thu, 24 Nov 2016 17:26:35 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 74A6C689B60; Fri, 25 Nov 2016 03:26:28 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com [74.125.82.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1E22C689AF8 for ; Fri, 25 Nov 2016 03:26:22 +0200 (EET) Received: by mail-wm0-f68.google.com with SMTP id g23so6436579wme.1 for ; Thu, 24 Nov 2016 17:26:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to; bh=kQvwRapduN2CoJ1ZScFIPgcTrZ++Ow82260JZIk9EOc=; b=XMS0fHodmMX8YdarFLD3yZmh/CVamAUi9Bm2flHzInNhfTsd0xUg6eky/KQkOa2yYH tUxflBcrJZG88cFlN1KNyeCrE9IUqt71r6N8DkmIWIv/H2AuvZxYhQvSs1FnwdNwLKlk VHws0CITzvU+XmJAIXf3orPlPBfUQmce4+ahldjjLwqS/yW2jkkRIxd2XIee6eHnDmwb 9TAUk5HjN/dHUs5aaEQxaIqVbmQzN3eXp/dJrO93q76J3KBynXl1F8iwJ53bqKet1jnr tHHlrs5C9VWtnZeTSkHFY+B+4s7eiLWEaucilq23z3L3gbCOamSf+OQYMqVAhbsku6Ae tJzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to; bh=kQvwRapduN2CoJ1ZScFIPgcTrZ++Ow82260JZIk9EOc=; b=dejEWgQbVtuRHMNwGRzz7AZ7KLvvVSqAPN8/+AL3BWH6ukHz824fOlduYizKv2vON1 n+oZsqHn5zO3NEwnwBFmMpmZJkLImdLQVCLqPzcAms5D6Vc23oWcHXe5gRs3FdB/l7t/ Z+UQ/2p9nzA+QOpxMBs5HuorJO7ibLEYZXAr38CzvPs0wtHoTJz61bzaBWv9nlo4AKDc 5z8zOEf91w9jfXqi10Q2HKUKQ/LYu3EfKMQFW9NIN8Wdi4P2dk8dWcFDhdayxReacNzf Ouz1rId2rNRLaO+ekd1lW1HnN8YIaMESRYF4dMguSCiUjcjnpcEUzvRnSVHyGz6sJSZU fXDA== X-Gm-Message-State: AKaTC03tGkzt6a/R/RvYaMNau/DmHJy7PR2CSdGNRY5Nvvmp7aVR4KmOduf5Zf7jed88aA== X-Received: by 10.28.163.5 with SMTP id m5mr4995731wme.98.1480037185740; Thu, 24 Nov 2016 17:26:25 -0800 (PST) Received: from [192.168.2.21] (p5B072C28.dip0.t-ipconnect.de. [91.7.44.40]) by smtp.googlemail.com with ESMTPSA id k11sm10857405wmb.18.2016.11.24.17.26.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Nov 2016 17:26:25 -0800 (PST) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: ffmpeg-devel@ffmpeg.org References: <75b43580-088b-3d28-8552-f5b64386f83d@googlemail.com> <20161123140117.GA4824@nb4> <20161124164538.GK4824@nb4> <20161124165743.GL4824@nb4> <20161125003856.GT4824@nb4> Message-ID: <48db2c6a-24e9-2c7c-f924-860f9b90d947@googlemail.com> Date: Fri, 25 Nov 2016 02:26:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161125003856.GT4824@nb4> Subject: Re: [FFmpeg-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On 25.11.2016 01:38, Michael Niedermayer wrote: > On Fri, Nov 25, 2016 at 12:03:30AM +0100, Andreas Cadhalpun wrote: >> mss2.c | 13 ++++++++++--- >> 1 file changed, 10 insertions(+), 3 deletions(-) >> 884b912643244a4205bac63faedfa0c048bcc97a 0001-mss2-only-use-error-correction-for-matching-block-co.patch >> From df9241d8b575cc0fbf570e714c586ff37a4821fd Mon Sep 17 00:00:00 2001 >> From: Andreas Cadhalpun >> Date: Thu, 24 Nov 2016 23:57:46 +0100 >> Subject: [PATCH] mss2: only use error correction for matching block counts >> >> This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 >> with coded_width/coded_height larger than width/height. >> >> Signed-off-by: Andreas Cadhalpun >> --- >> libavcodec/mss2.c | 13 ++++++++++--- >> 1 file changed, 10 insertions(+), 3 deletions(-) >> >> diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c >> index 1e24568..62761e8 100644 >> --- a/libavcodec/mss2.c >> +++ b/libavcodec/mss2.c >> @@ -409,8 +409,6 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, >> return ret; >> } >> >> - ff_mpeg_er_frame_start(s); >> - >> v->bits = buf_size * 8; >> >> v->end_mb_x = (w + 15) >> 4; >> @@ -420,9 +418,18 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, >> if (v->respic & 2) >> s->end_mb_y = s->end_mb_y + 1 >> 1; >> >> + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) { >> + ff_mpeg_er_frame_start(s); >> + } else { >> + av_log(v->s.avctx, AV_LOG_WARNING, >> + "disabling error correction due to block count mismatch %dx%d != %dx%d\n", >> + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height); >> + } >> + >> ff_vc1_decode_blocks(v); >> >> - ff_er_frame_end(&s->er); >> + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) >> + ff_er_frame_end(&s->er); > > there are still ff_er_add_slice() calls in the block decode code i think > It seems not to matter but skiping just ff_er_frame_end() and > not ff_mpeg_er_frame_start() feels less inconsistent OK, update patch is attached. Best regards, Andreas From 6d8b5136c67f3a8cb3f4a4c818f311d748bbab5d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 23:57:46 +0100 Subject: [PATCH] mss2: only use error correction for matching block counts This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with coded_width/coded_height larger than width/height. Signed-off-by: Andreas Cadhalpun --- libavcodec/mss2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 1e24568..581865b 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -422,7 +422,13 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, ff_vc1_decode_blocks(v); - ff_er_frame_end(&s->er); + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) { + ff_er_frame_end(&s->er); + } else { + av_log(v->s.avctx, AV_LOG_WARNING, + "disabling error correction due to block count mismatch %dx%d != %dx%d\n", + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height); + } ff_mpv_frame_end(s); -- 2.10.2