[PATCH] Re: [Ffmpeg-devel] FFmpeg: H.264 decoding issue
Matthias Hopf
mat
Tue Feb 20 00:39:34 CET 2007
On Feb 09, 07 00:25:12 +0100, Reinhard Nissl wrote:
> I've uploaded a H.264 sample file which isn't decoded properly. The file
> seems to be OK as it can be properly decoded on Windows using
> Cyberlink's HD264Pack.
>
> mplayer -demuxer h264es -vc ffh264 /video/luxe-hd.es.h264
>
> [h264 @ 0x84cd0a0]concealing 2720 DC, 2720 AC, 2720 MV errors
> Xlib: unexpected async reply (sequence 0x70)!
> Segmentation fault
Find two patches attached that should fix *some* of h264 PAFF issues.
Note that they don't fix PAFF at all, but add safety checks.
The issues fixed by these patches are IMHO not security relevant. While
the first is a buffer overflow, it only overwrites frames, and only with
data from frame edges, which are not user specificable AFAIK. The second
is a plain old fashioned NULL pointer access, so appart from DoS no
security issue.
Note also that the file I tested this with plays fine now on my
Pentium M, but still crashes on my Athlon XP. Though I guess this is
some side effect and not an architecture specific problem. So these are
certainly only the first of a series of patches.
Please test with your file
Matthias
--
Matthias Hopf <mhopf at suse.de> __ __ __
Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ mat at mshopf.de
Phone +49-911-74053-715 __) |_| __) |__ labs www.mshopf.de
-------------- next part --------------
Index: libavcodec/utils.c
===================================================================
--- libavcodec/utils.c (revision 8020)
+++ libavcodec/utils.c (working copy)
@@ -278,7 +278,7 @@
if(!(s->flags&CODEC_FLAG_EMU_EDGE)){
w+= EDGE_WIDTH*2;
- h+= EDGE_WIDTH*2;
+ h+= EDGE_WIDTH*2+1; // +1 for potential interlace (MPV_frame_start)
}
avpicture_fill(&picture, NULL, s->pix_fmt, w, h);
pixel_size= picture.linesize[0]*8 / w;
-------------- next part --------------
Index: libavcodec/mpegvideo.c
===================================================================
--- libavcodec/mpegvideo.c (revision 8020)
+++ libavcodec/mpegvideo.c (working copy)
@@ -3990,11 +3990,11 @@
if(lowres_flag){
h264_chroma_mc_func *op_pix = s->dsp.put_h264_chroma_pixels_tab;
- if (s->mv_dir & MV_DIR_FORWARD) {
+ if ((s->mv_dir & MV_DIR_FORWARD) && s->last_picture.data[0]) {
MPV_motion_lowres(s, dest_y, dest_cb, dest_cr, 0, s->last_picture.data, op_pix);
op_pix = s->dsp.avg_h264_chroma_pixels_tab;
}
- if (s->mv_dir & MV_DIR_BACKWARD) {
+ if ((s->mv_dir & MV_DIR_BACKWARD) && s->next_picture.data[0]) {
MPV_motion_lowres(s, dest_y, dest_cb, dest_cr, 1, s->next_picture.data, op_pix);
}
}else{
@@ -4004,12 +4004,12 @@
}else{
op_pix = s->dsp.put_no_rnd_pixels_tab;
}
- if (s->mv_dir & MV_DIR_FORWARD) {
+ if ((s->mv_dir & MV_DIR_FORWARD) && s->last_picture.data[0]) {
MPV_motion(s, dest_y, dest_cb, dest_cr, 0, s->last_picture.data, op_pix, op_qpix);
op_pix = s->dsp.avg_pixels_tab;
op_qpix= s->me.qpel_avg;
}
- if (s->mv_dir & MV_DIR_BACKWARD) {
+ if ((s->mv_dir & MV_DIR_BACKWARD) && s->next_picture.data[0]) {
MPV_motion(s, dest_y, dest_cb, dest_cr, 1, s->next_picture.data, op_pix, op_qpix);
}
}
More information about the ffmpeg-devel
mailing list