[FFmpeg-devel] [PATCH] Fix DV uninitialized reads

Baptiste Coudurier baptiste.coudurier
Tue Sep 22 20:40:14 CEST 2009 

Hi,

On 09/22/2009 01:20 AM, Reimar D?ffinger wrote:
> On Tue, Sep 22, 2009 at 12:19:29AM -0700, Baptiste Coudurier wrote:
>> Hi Reimar,
>>
>> On 09/21/2009 05:40 AM, Reimar D?ffinger wrote:
>>> Hello,
>>> I think this fixes the uninitialized data in the DV encoder that causes
>>> sporadic "make test" failures, at least valgrind complains no longer.
>>> Quick measurements with "time" indicate a slowdown by about 0.8%.
>>> regression test values for the encoded files changes (memset to 0
>>> instead of 0xff might avoid that though), but the decoded data
>>> stays the same - so at least for the cases "make test" covers it is
>>> correct.
>>
>> I assume 0xff is correct according to specs, right ?
>
> I don't think the specs say anything about it (except for the header
> DIFs), but since the current code pads the header and audio DIFs by 0xff
> it is consistent... (though flush_put_bits will pad with 0, so it is not
> that consistent).

Well I'd prefer being stricly correct according to specs.

>>> Index: libavcodec/dv.c
>>> ===================================================================
>>> --- libavcodec/dv.c     (revision 19948)
>>> +++ libavcodec/dv.c     (working copy)
>>> @@ -1102,8 +1102,14 @@
>>>                av_log(NULL, AV_LOG_ERROR, "ac bitstream overflow\n");
>>>        }
>>>
>>> -    for (j=0; j<5*s->sys->bpm; j++)
>>> +    for (j=0; j<5*s->sys->bpm; j++) {
>>> +       int pos, size;
>>>           flush_put_bits(&pbs[j]);
>>> +       pos = put_bits_count(&pbs[j])>>   3;
>>> +       size = pbs[j].size_in_bits>>   3;
>>
>> Maybe s->sys->block_sizes[j] makes more sense ?
>
> Not in my opinion. Like this it is clear that it simply pads the
> remainder of the put_bit context. If you use s->sys->block_sizes[j]
> the code is only understandable to someone who knows that this put_bit
> context is somehow related to the block sizes.

In my opinion it is unclear why we are padding the put_bit context and 
for how much. Using s->sys->block_sizes makes it clear that it's a block 
and its size is fixed and where the size is setup.

>>> +       if (pos<   size)
>>> +           memset(pbs[j].buf + pos, 0xff, size - pos);
>>
>> Is it worth to check for pos<  size ?
>
> For speed? No. But if for some reason ever the decoder writes beyond the
> buffer end without the check it would try to overwrite all memory with
> 0xff.

IMHO if this happen it's an error and encoder should return -1 to 
indicate it.

-- 
Baptiste COUDURIER
Key fingerprint                 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
FFmpeg maintainer                                  http://www.ffmpeg.org

More information about the ffmpeg-devel mailing list