From patchwork Thu Nov 24 23:03:30 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Cadhalpun X-Patchwork-Id: 1553 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.90.1 with SMTP id o1csp25068vsb; Thu, 24 Nov 2016 15:03:42 -0800 (PST) X-Received: by 10.28.138.135 with SMTP id m129mr4295940wmd.36.1480028622792; Thu, 24 Nov 2016 15:03:42 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id x89si10606309wma.147.2016.11.24.15.03.42; Thu, 24 Nov 2016 15:03:42 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@googlemail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=QUARANTINE dis=NONE) header.from=googlemail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A3C666891FA; Fri, 25 Nov 2016 01:03:35 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wj0-f177.google.com (mail-wj0-f177.google.com [209.85.210.177]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B1D516809F9 for ; Fri, 25 Nov 2016 01:03:28 +0200 (EET) Received: by mail-wj0-f177.google.com with SMTP id v7so44340178wjy.2 for ; Thu, 24 Nov 2016 15:03:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to; bh=P8tDR8FLBcKkBPim/YMPMQSeDrste84AzLdXftgwY8c=; b=nsMu1Hhxwt3nDWi/KrN0XACM6gciK2KJWtdH4Nht9VtAlscnGEgKvLZFyjm9G9BCnZ WwoGUzCnle3XpxPMzNr8k+8DCZL4FPzRnpAQBeI8ZwhaavFYIhhKyjeNswCsbLLBtIJ7 dDGg/cCS5gE/jwVNsnL/oE7ATMq6DAF//NKCkSPwJgeUiEwmBjBySxKAJuR4Eiug9Aai 3D4CdZbfjIzQPyTuAHrf3DptdTJNy2cyqugp3cCat+cN3pU61g7XqmgD6qLwdKur9NIY Io2KkC3BkxClhsirNwbe5iGIMPpUcYidOJsK1Fmn7ZRsK3aHCQIT79Tad/mmK4dVqcPw gJVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to; bh=P8tDR8FLBcKkBPim/YMPMQSeDrste84AzLdXftgwY8c=; b=MB3krAnbop5cEvL/wSacbJrkyH5cw5fS2A0zB7suH+r5F8c/nzkTtI5pGAEjTaNXWQ SR4vOKSyVpNHA5QcTWSjVrNog2mXqgxzzzBaBJ3vKUQ+P8QcKjrQh7FzQI66lXPYkVK7 FhwXIo9poNZIk53Wmd42L+QmjfUREfI1BHWFaW4yOvKRy5G+mgowX6I14rWMYoTz8fOv 0JD4E+XnhosZqH7SooueYz7xmp7Zw4Hs1x+GeELezfUpgOBxYkKl1MUyj3gUb9lPgr3B 9BBNJ8xjtk2wzlld1+31R2EdN3K6Z7/KFy/iqcy6mrPDHPvZxLOLDGxH6lib0TjfWB7A Ib1g== X-Gm-Message-State: AKaTC017q96AX3xoof/p//j8H1dQdmGDYTMJKcQXkyLuyS8XCGcf72/6eEpZYECIjVGliA== X-Received: by 10.194.123.103 with SMTP id lz7mr4871418wjb.100.1480028612382; Thu, 24 Nov 2016 15:03:32 -0800 (PST) Received: from [192.168.2.21] (p5B072C28.dip0.t-ipconnect.de. [91.7.44.40]) by smtp.googlemail.com with ESMTPSA id l67sm10401814wmf.20.2016.11.24.15.03.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Nov 2016 15:03:31 -0800 (PST) From: Andreas Cadhalpun X-Google-Original-From: Andreas Cadhalpun To: ffmpeg-devel@ffmpeg.org, libav development References: <75b43580-088b-3d28-8552-f5b64386f83d@googlemail.com> <20161123140117.GA4824@nb4> <20161124164538.GK4824@nb4> <20161124165743.GL4824@nb4> Message-ID: Date: Fri, 25 Nov 2016 00:03:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 MIME-Version: 1.0 In-Reply-To: <20161124165743.GL4824@nb4> Subject: Re: [FFmpeg-devel] [PATCH] mpegpicture: use coded_width/coded_height to allocate frame X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On 24.11.2016 17:57, Michael Niedermayer wrote: > On Thu, Nov 24, 2016 at 05:45:38PM +0100, Michael Niedermayer wrote: >> Is it correct that your cases uses >> decode_wmv9() -> vc1_decode_i_blocks() ? Yes. >> these decode a rectangele up to end_mb_y, end_mb_x >> does this mismatch with what later code accesses ? Yes, s->mb_width and s->mb_height are different from v->end_mb_x and s->end_mb_y. >> would using end_mb_* in the EC code fix this ? I'm not sure how this could be done properly, simply setting s->mb_width and s->mb_height to the other values does not work. >> (or disabling EC if they mismatch) > > Note, for this sadly end_mb_* in MSS2 would need to be treated > differently than other codecs as it has different semantics > disabling EC on end_mb_ mismatch might be easier Disabling error correction in that case works, though. Attached is a patch for that. Best regards, Andreas From df9241d8b575cc0fbf570e714c586ff37a4821fd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 24 Nov 2016 23:57:46 +0100 Subject: [PATCH] mss2: only use error correction for matching block counts This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with coded_width/coded_height larger than width/height. Signed-off-by: Andreas Cadhalpun --- libavcodec/mss2.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 1e24568..62761e8 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -409,8 +409,6 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, return ret; } - ff_mpeg_er_frame_start(s); - v->bits = buf_size * 8; v->end_mb_x = (w + 15) >> 4; @@ -420,9 +418,18 @@ static int decode_wmv9(AVCodecContext *avctx, const uint8_t *buf, int buf_size, if (v->respic & 2) s->end_mb_y = s->end_mb_y + 1 >> 1; + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) { + ff_mpeg_er_frame_start(s); + } else { + av_log(v->s.avctx, AV_LOG_WARNING, + "disabling error correction due to block count mismatch %dx%d != %dx%d\n", + v->end_mb_x, s->end_mb_y, s->mb_width, s->mb_height); + } + ff_vc1_decode_blocks(v); - ff_er_frame_end(&s->er); + if (v->end_mb_x == s->mb_width && s->end_mb_y == s->mb_height) + ff_er_frame_end(&s->er); ff_mpv_frame_end(s); -- 2.10.2