From patchwork Sun Nov 21 01:58:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 31517 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:d206:0:0:0:0:0 with SMTP id q6csp4821769iob; Sat, 20 Nov 2021 17:58:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJytgT/hXFtQTAi87EmaeaRqGEPCWaQby942axU6pH+1FtmUqJAQt9GrsO9T2L79azVAyGT4 X-Received: by 2002:a05:6402:5246:: with SMTP id t6mr45751228edd.18.1637459936930; Sat, 20 Nov 2021 17:58:56 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 18si9286089ejz.426.2021.11.20.17.58.56; Sat, 20 Nov 2021 17:58:56 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=IqmtbgK0; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0E8EB68A22C; Sun, 21 Nov 2021 03:58:52 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05olkn2049.outbound.protection.outlook.com [40.92.91.49]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BC39F688175 for ; Sun, 21 Nov 2021 03:58:44 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PPSz9lxgySCe4E4tIBDE2At0pj3du4p02NfkuAJp7RFLBOMytCIvs31ITnG5wU8OPWFpmU/97RvHrXsHlJPBZk6XZckuXearkZG7FmI5C52xCK3usZ4Ki//+klbYIgppEPghlZ7qnbWbGt8Cyl7IZVs+O6utR3Maf8jmZeQjZ6qi8QhJeVCz0TDV1//z/hdcW07f3MYcxcHJc9/IrvHxqGdGG9PoQfYQLkA6o0EgAwXTgQ9ctj2VHq2LXIPqCZdjD69wXp9ZkY064XnGoRpwRAuM3w+NqP7CMF7G4Cbk9W33ixhJvAHp8WCQPH4RKG7cZ3P424GNOnJj4XPCGkYmBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1tkD+a7j2TU6PyOReN3XHL1sXsuLexLcLnbOLmi/avM=; b=EdxXIzpvQc11fYTVyilhK1EuewHK8c8x/szWzPn1XUk4br4sY53ixQWtgmKLGxyGD40RKODybwtcpw9UaPqlVqDJCFnFDs67DWV+KfFAgcocGKvmNWnueu9g39CX9hjfvnHBJDULetjYCLSfzU5LxOiW64ZsgArsIXMsvajy+sgm+WntQxkUgv4pQYnQm236efX1rcKCVxRbgyH9E7rZlts687/FckYsRYoyqKexZJWIOBj1mE1xJCq/aBBAxD/8N4ldrbixurPnSTZxNQUyRUprq8uOcaw93omFtR2TBNxHw3vOyL0HY7N64iEbKkZrJWHeCJbRmautkTma2oSIsw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1tkD+a7j2TU6PyOReN3XHL1sXsuLexLcLnbOLmi/avM=; b=IqmtbgK0HK7NElHvg8OdbWK7YtC0FfUADf7peH13g3olKoA4UBblpiy7Fnz2CsuEGS/3rYgQDoYiinlmDxx6x7Hit3ShBDt8JsVRjn5o9EnKASDAncm4YdKyJ1BHVPfAE3eM83Q0c3uW3CzOiMNOsspL/E9zdefAsVmvHBUmXjUuHVAuSzSZQLIVnQCmyEA38uB+OvstHN/kC/sNyjyFJCZfKh4UY1hNYrGYRG7yTo6WxQB1mrHJB9xAr90XGlu7nXu55FMqm3ZhgvW8cjIBFajD7CA4qlYVFFJU618Olm7VJnpUw9OZHfvR5qIBEeLxXC/hTr9C0bHsf/3lIR4gWg== Received: from AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) by AS8PR03MB7350.eurprd03.prod.outlook.com (2603:10a6:20b:2ec::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.19; Sun, 21 Nov 2021 01:58:43 +0000 Received: from AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::700f:d70b:3bb8:4d51]) by AM7PR03MB6660.eurprd03.prod.outlook.com ([fe80::700f:d70b:3bb8:4d51%9]) with mapi id 15.20.4713.024; Sun, 21 Nov 2021 01:58:43 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Sun, 21 Nov 2021 02:58:35 +0100 Message-ID: X-Mailer: git-send-email 2.30.2 X-TMN: [PeN9emrUABvT3aOeg3Gtee2VGigd5Bsc] X-ClientProxiedBy: AM9P193CA0026.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:21e::31) To AM7PR03MB6660.eurprd03.prod.outlook.com (2603:10a6:20b:1c1::22) X-Microsoft-Original-Message-ID: <20211121015835.1509430-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sblaptop.fritz.box (188.192.137.12) by AM9P193CA0026.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:21e::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.19 via Frontend Transport; Sun, 21 Nov 2021 01:58:42 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 31367ae5-873f-4149-b1e9-08d9ac9271dd X-MS-Exchange-SLBlob-MailProps: EpEO96k6Wol9fKQIkSXRM7KxkXC2XU96d3O8N2qn416qKhGxv+EbRWVHd1xl8n6AoBvPHsBHIHK+174Q7tgu8IapKefx/lJ97aO08FByvL3KwBaVVyG5NGAZyGl+WIZBqiA1SMQgx+ZU4YpxS6jfWh2dInBWxzAHAHGocO0N1THs2nx2oLbcgUByF1NvdF7fkOUZOal585h/Gh5nLP2ir44LJ4V2uFQioJNLO6p03HL44Y+tTFg/5AoCW041cFe/u+1CNSa8viJHDuP9rn9M4IKVa0rYn+XST1niIOs2+Wq67I3x6BFnRz+NLFB+SNpRW+yZn3bp1bpTz/MX1rtQfF/+palHdVH9eJH48aCJIMem9h5L6Xh85bhbbT+bvx8m8ZpK4S2fMapEF1/piMxLXs5s8bWFIN9v++9v5VBIZgYgi/3IGJFMV9RJF0Gauf0lMlPoW9exZSnYV6xOtU2U83G+5E8L3c5V9ynowN+oE+9NBoR/WKclVvs8KvSlJ9N/PNaXnjqFJRLL6M/BUZYSWFMmmA9qJYxr+eqQsGthgt64moQFbgwJHejFkA7LxcjNDflNwZaIII6U9SXtMCvN6hkP4VaA5g8iOeU3w66aSKBjRG+hq5kr+P3Adi83zlNm5f5uMer+ezWEFnhm/x4c/iE9htI/zjBO6XBsUGejDbEAINnpScj1gmTv2MsvCtHhQ1IDBdodDKnLODyk2nQzNuSe0mtQZ1QURbDcvnzq7mX9klGW7RF2Vzknl8W3h3YQ96K8gPCD3QQ= X-MS-TrafficTypeDiagnostic: AS8PR03MB7350: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: t4UqyilHcqRfHDXf/GUThWoCesAWs8HxgnqyaKVBHFdTyvS4HRsQSJGLNsE5moG/0Ks+mpMC92g51RBDNNAMz8PQJUa8VSPDQUk/kWqP9IBkI/JpJvEtlK4OyRF+XCDHnmnAB2nrTQHf00D+L79Z3J4T/8TSk0gY+lWksjePuoyrXTDjL13XI4I/JzhsfsY5WFum32oa2TyKii2m7SWn8Rd+RNcvYFm1m5puilid68QRQkljN1rAhfzCZtYSdvWppn0MrgWaYWdN4vs1Ne9lCO/Ejf791yx0eKauuRrGKdSujmas8aWmg5NNtPeuxvXYX3o7Sh4DnUYNeUPeuiOSo3ee5Ap6GrsU7s0XKkLfu7gVzbIU89DZ9hz3uT+D9gl7BvBAjtxmwlAjmX6UBLYKIjhLpIr40buVudi9VkGEgjZwLgfyDNeut0cagN29GGfnjew6wkgb8+zbHk6ONWzuAOVMLimu2caNtwJuN+ze1NbHEGaLLlZAEfny8KS+vPYd4uPNJRJS6WASp1uz/g9psqcoGn3xF9mJDwBshnIAvmBpkY5p7DWyByVcXj0uBygOeHnt1qONMlfaxmw5DZelCA== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GAfeg8RPMqWLAHFlE/DMDwEYAmovp2BOn9QccMCmrTN1I3/xdvCpR/XaFPO4XMWIksr4CMTDYBJDpfC8gpT3YQi9vH5Su9yYAGlg6s/pYAq4zN7TF871ModWa3+lFLF8c+FP/nYomuaVj49ISznr1FDSrL2X/ExBNXeAc082EswXudLLjVPmNcs673wN2knb2/TLUQXUAn/xOsXqfjjOzm+bLQsynvbFULlhHtorcCkCRCNkNO++KyyBKSM+Cl5xQRqDuTT14qs4NvYZ62it0ZiCxdTDLAonIDVIWkuQMpVWCrOh5YJve98P8ZaJJGFYyk9ETcB5s82Otx2+NsxXckAMGwUyznS5xcid94bVvPwKAah7sBpBSYHyInzFoy3h7McuHHExDddW5n3Q/Fl3AVgsQYXAagq9/900kSgsZsct/hxH3aQowEjPtjYG9UvQHNhxNxVzgbUqkeC7rQg6wTa7KSHdC/KCBE2OLyDXe52SaaU0bCFUs32qtT84ER2xQKgaz+h+llBu52Fjry7kYR+lbL7BzIxWgHF5k0TBBcJ69MGpcmenYVoFXVAjvT8YJRHNtTvyeU8IokXXoNQtZ1AHDH1UHB1eyE+FceonFNQg3rHw8HOVdIF+2nhro/27AxbBGtue97LXYXbqpfonvCPSrefqXMGfHaUM5sKuhIH/OOaL8otZmI0lXca9tcYhrr+p24rUpv63CgPZRsEZ+A== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 31367ae5-873f-4149-b1e9-08d9ac9271dd X-MS-Exchange-CrossTenant-AuthSource: AM7PR03MB6660.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Nov 2021 01:58:42.9962 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB7350 Subject: [FFmpeg-devel] [PATCH] avcodec/h263: Fix global-buffer-overflow with noout flag2 set X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: d+bx72pFMOd2 h263_get_motion_length() forgot to take an absolute value; as a consequence, a negative index was used to access an array. This leads to potential crashes, but mostly it just accesses what is to the left of ff_mvtab (unless one uses ASAN), thereby defeating the purpose of the AV_CODEC_FLAG2_NO_OUTPUT because the sizes of the returned packets differ from the sizes the encoder would actually have produced. Signed-off-by: Andreas Rheinhardt --- Do we need this AV_CODEC_FLAG2_NO_OUTPUT codepath in h263.h and mpeg4videoenc.c at all? It seems to have never worked and the speed difference to encoding with output is negligible. (And I have not even investigated whether the checks for whether said flag is set impact the performance of ordinary encoding.) libavcodec/h263.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/h263.h b/libavcodec/h263.h index 70fd1ffdc0..d6bef8318d 100644 --- a/libavcodec/h263.h +++ b/libavcodec/h263.h @@ -100,15 +100,16 @@ void ff_h263_encode_motion(PutBitContext *pb, int val, int f_code); static inline int h263_get_motion_length(int val, int f_code){ - int l, bit_size, code; + int bit_size, code, sign; if (val == 0) { return 1; /* ff_mvtab[0][1] */ } else { bit_size = f_code - 1; /* modulo encoding */ - l= INT_BIT - 6 - bit_size; - val = (val<>l; + val = sign_extend(val, 6 + bit_size); + sign = val >> 31; + val = (val ^ sign) - sign; /* val = FFABS(val) */ val--; code = (val >> bit_size) + 1;