From patchwork Tue Sep 28 14:41:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 30640 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:6506:0:0:0:0:0 with SMTP id z6csp5272774iob; Tue, 28 Sep 2021 07:42:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwMpqxoPMv+st0GpiaLb0Vc0sJEsd84YJAKdVi9F7OPF/RPS3X7VriUG68LHiRfmXKAjtNn X-Received: by 2002:a17:906:2cd5:: with SMTP id r21mr7323733ejr.435.1632840175854; Tue, 28 Sep 2021 07:42:55 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id n1si12780134ejx.273.2021.09.28.07.42.55; Tue, 28 Sep 2021 07:42:55 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b="q/TMhPdS"; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A1E8F68A3F4; Tue, 28 Sep 2021 17:42:08 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05olkn2057.outbound.protection.outlook.com [40.92.89.57]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D4BBE68A126 for ; Tue, 28 Sep 2021 17:42:07 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QE0ROuzaVi8SaqljjMJ9wDhc/FzzeQhNBUCY5BifzF6Vm1jpHO7Uy2NJ9nZjsFVCe3bIJ2AzHrmTOKEyx9fRteh7n3GEnpSecfonkjl6SUFI/YyjtywRkbTJj+6Tvkcnn4A63OdxK6ztUdj7ccrTp3DckAR30La1P3a2pbYzn0B3f+u+zJwb5KelCbVO6SCjCQnl8Q5oKuSU2FfFs5vS370Omj191jQzJDN8zFzNW8dmL8Ohj2aIqnzuwI7frfVwJd2wobrc6zVn7kPNTyq6Oc+5OwTDbUwPjdujmi1Jc7ALeaQH3vG0Bo7+4eQRFNh3JWgwyug559hqlvPAjzsSaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mwxCU+1Hssc3QUX0heXEwErqiUOuSVTea+89BTm+2yk=; b=C0uSIghi4xsi2GxLpkak9LD8S4FjkNus5Hno3h7Wesm3BapmfsfjxkNvRz7FQJSFmB52BVQYVL31B8rBV4uyeWXm6tqLMGhLoJPq1B2on5rhummAZe/sCSguzgSKwMCsRR1pew3kxBFWPEag3Jduk0TOBI7ClhgrPjn/6mvTmpFc1AU8bG+3dOk0jxAYE6fOyhIlgUUm9GCskUBkr4fZdIVHrB2eLMSCz4nxExAOtNN1RiiRh5JExsJTU3MSxN+EWvc4k+SvEgNjJNTLne5ERDNpwYt6DNDt++efMIPMWIB9c2U72Cf7+XRmMeG/7cCoY8A9EQxbxOOvbKqJqTOTgw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mwxCU+1Hssc3QUX0heXEwErqiUOuSVTea+89BTm+2yk=; b=q/TMhPdS3sOZXgSbz6zxyacpxr7YF/raJ9vBJYkr4TWRBf7fj/OPy6i6AJ4dq7DthiDcEH0Yu1L+dsmQ2IvKe3aug9st30qTcCBDWYF5eZ/5uxZZU/COAU5eLDeVCdKD4UmX/Td7b4qig53STh/A4r40uR8JgSO5R2uEqM5Gaj8OpDRyQZqpvRndzovQYAL3C+w4OH6W+EWXAnj3NtYhddJ29xWz4YEv8mN0zo5j6AN5F7pG/PohfPB3tVIzbEt+G4W8EZ+w82jkIRVu4IHaBdypGzFOwRTRnVpgB8BP1CFWE9x8LHqMagjngnoUQBwL/gwMLdrKXADn3uTr/olT4Q== Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) by AM6PR03MB3685.eurprd03.prod.outlook.com (2603:10a6:209:33::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19; Tue, 28 Sep 2021 14:42:06 +0000 Received: from AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::787b:2156:ca99:fe00]) by AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::787b:2156:ca99:fe00%3]) with mapi id 15.20.4544.021; Tue, 28 Sep 2021 14:42:06 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Tue, 28 Sep 2021 16:41:17 +0200 Message-ID: X-Mailer: git-send-email 2.30.2 In-Reply-To: References: X-TMN: [3rerwGLI2WflSE5Xku2dwi1hLBT4v5x1] X-ClientProxiedBy: AM4PR0302CA0007.eurprd03.prod.outlook.com (2603:10a6:205:2::20) To AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) X-Microsoft-Original-Message-ID: <20210928144117.1793020-8-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.192.142.38) by AM4PR0302CA0007.eurprd03.prod.outlook.com (2603:10a6:205:2::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13 via Frontend Transport; Tue, 28 Sep 2021 14:42:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: edfc7a37-2a3d-4be6-17bd-08d9828e24b5 X-MS-Exchange-SLBlob-MailProps: S/btQ8cKWiQiOqKDs6sIqD7h4cntJpIPu3MUwgSKqVnDj8BzUZL8dBrSEK0dxjPA+4a4F0n/hsu3/Nwi11u1OsBjW2xTlcUCKSco+t9RZs2FqXJtiodISVZmdGcJbE8cqEJAK2TNjiOyb+8hSVGLyJaT9bf49XY+0l/3ehfBdLJOgaJux6lMxjISX5UV/PTG56nMlUXKC48O1DOCiumVn/jOvpgD2bJWxUhfqUP2UOD/JfaMawZwxJ9Cil1QKwS9Y95CoSonMTSlR3wvi+FG1J6spnn744JESBafSkkNUCZuGhx0L//twOutLu9f7zxFa+mXEu+aazgE/aeFJSevBtNVjYvOxXaucTde1xFKu3Ds45IZWvJmbAL7K6AZDjTWCV2SWCCpSaPMFTdQiirDnJH1iszeFVc9/jk6+VdlP/j+3ABQH0bIk+XaAi5USdyyEt+QMaXcJ6m8/uOQQc03+NMSi1MoM6mt7y6N+Aq/7mcolQqs7eU9Cy077AZtLZrb3prkjMn6oUooZq6WEGn38/YSTBPGdYqbDFd2UfctvkHqRD9KDiSGvi896VEMnrMBzeaaaV8xXDAO3+pvVoDIexFD2yccBhuKCGe1xoUnbyA6U3CGepB8gW0eN/dg0e43pO6OCu7GO90wP9cZHueitXLEm0AlBhrO3PtpqyHQYXJF6eyz2lFwGNRBEuTlmNPg1KJejrHRm04KiBL5GOTwnHfR9E5dmJW4C+cNYiltDv5yfSJ+iql0zOQB2dATR9M9j19D6HM30DU= X-MS-TrafficTypeDiagnostic: AM6PR03MB3685: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /Baxnmb1lvjbY/gssyUUSOG9ucD114j6jD6thzEB2FuBdmZtzricJDD2Bv9FJswV80tfd8wKUKW/YCYE9oo5Rpke48ThBiG4/Touqzi2jTQmeG+4Zqsy44QtLA2j38hyr5i+QzaNFsCZ6S0Ao29PcYPM1/EfasxY2qWmDPPt+OptfTzLFojeghMbKViEDAdyXxRLcpBD3i3+G8uxI6K7NkCuHRxGfMI1T8grOg+mCG0KtpkT9eA12ONm3tc0FhvC1DevBdDFh8vkNJ7LhXPaVM7dKqlJuYVE/Yk+b8IZaz1ZWVrBB2Dh1RBOOXPlpctUal2gYlTEp8D1s87faQFJH9bZegdkF7U2crSobE7GOqCNbBsrvrRCrSgOC7RT/N9LGJ5XHBTWJxX9OGVVypnvJC+2ilsUIImMcq0/77PlrEpm7u6fjuADaPm6TWzeueAv X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Tpf1F3067o8GC/ksel7ctyl2d5iclmWcKx+qnJJlEj5qfU9msBWHoRvfDKZy+DldvuooIEcOaDs2ikQgU2D8C5KStWHT6URWgNO7ESFpAPwXmmwH7GPlCfrlywizsl25HkWdol5KsxtwpukZAksruw== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: edfc7a37-2a3d-4be6-17bd-08d9828e24b5 X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Sep 2021 14:42:06.4740 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR03MB3685 Subject: [FFmpeg-devel] [PATCH 9/9] checkasm/hevc_pel: Fix stack buffer overreads X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: mMdIjKk6h47M This patch increases several stack buffers in order to fix stack-buffer-overflows (e.g. in put_hevc_qpel_uni_hv_9 in line 814 of hevcdsp_template.c) detected with ASAN in the hevc_pel checkasm test. The buffers are increased by the minimal amount necessary in order not to mask potential future bugs. Signed-off-by: Andreas Rheinhardt --- tests/checkasm/hevc_pel.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/tests/checkasm/hevc_pel.c b/tests/checkasm/hevc_pel.c index ec24309081..43aa5cd084 100644 --- a/tests/checkasm/hevc_pel.c +++ b/tests/checkasm/hevc_pel.c @@ -40,10 +40,12 @@ static const int offsets[] = {0, 255, -1 }; do { \ uint32_t mask = pixel_mask[bit_depth - 8]; \ int k; \ - for (k = 0; k < BUF_SIZE; k += 4) { \ + for (k = 0; k < BUF_SIZE + SRC_EXTRA; k += 4) { \ uint32_t r = rnd() & mask; \ AV_WN32A(buf0 + k, r); \ AV_WN32A(buf1 + k, r); \ + if (k >= BUF_SIZE) \ + continue; \ r = rnd(); \ AV_WN32A(dst0 + k, r); \ AV_WN32A(dst1 + k, r); \ @@ -65,10 +67,13 @@ static const int offsets[] = {0, 255, -1 }; #define src0 (buf0 + 2 * 4 * MAX_PB_SIZE) /* hevc qpel functions read data from negative src pointer offsets */ #define src1 (buf1 + 2 * 4 * MAX_PB_SIZE) +/* FIXME: Does the need for SRC_EXTRA for these tests indicate a bug? */ +#define SRC_EXTRA 8 + static void checkasm_check_hevc_qpel(void) { - LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]); - LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]); + LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]); + LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]); LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]); LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]); @@ -111,8 +116,8 @@ static void checkasm_check_hevc_qpel(void) static void checkasm_check_hevc_qpel_uni(void) { - LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]); - LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]); + LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]); + LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]); LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]); LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]); @@ -152,8 +157,8 @@ static void checkasm_check_hevc_qpel_uni(void) static void checkasm_check_hevc_qpel_uni_w(void) { - LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]); - LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]); + LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]); + LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]); LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]); LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]); @@ -200,8 +205,8 @@ static void checkasm_check_hevc_qpel_uni_w(void) static void checkasm_check_hevc_qpel_bi(void) { - LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]); - LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]); + LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]); + LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]); LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]); LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]); LOCAL_ALIGNED_32(int16_t, ref0, [BUF_SIZE]); @@ -244,8 +249,8 @@ static void checkasm_check_hevc_qpel_bi(void) static void checkasm_check_hevc_qpel_bi_w(void) { - LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]); - LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]); + LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]); + LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]); LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]); LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]); LOCAL_ALIGNED_32(int16_t, ref0, [BUF_SIZE]); @@ -294,6 +299,9 @@ static void checkasm_check_hevc_qpel_bi_w(void) report("qpel_bi_w"); } +#undef SRC_EXTRA +#define SRC_EXTRA 0 + static void checkasm_check_hevc_epel(void) { LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);