[FFmpeg-devel] [HACK] fix CAVS decoder crashes

Michael Niedermayer michaelni
Sun Dec 12 21:32:20 CET 2010


On Sun, Dec 12, 2010 at 05:04:58PM +0100, Reimar D?ffinger wrote:
> Hello,
> I have the suspicion this decoder needs heavy fuzzing testing.
> Anyway, trying to play http://samples.mplayerhq.hu/AVS/AVSFileFormat/AVSFileFormat.es
> results in crashes which below hack "fixes".
> Index: libavcodec/cavs.h
> ===================================================================
> --- libavcodec/cavs.h   (revision 25928)
> +++ libavcodec/cavs.h   (working copy)
> @@ -242,6 +242,7 @@
>  extern const cavs_vector ff_cavs_dir_mv;
>  
>  static inline void modify_pred(const int_fast8_t *mod_table, int *mode) {
> +    if (*mode < 0) *mode = 0;
>      *mode = mod_table[*mode];
>      if(*mode < 0) {
>          av_log(NULL, AV_LOG_ERROR, "Illegal intra prediction mode\n");

> Index: libavcodec/cavsdec.c
> ===================================================================
> --- libavcodec/cavsdec.c        (revision 25928)
> +++ libavcodec/cavsdec.c        (working copy)
> @@ -122,7 +122,7 @@
>  
>      for(i=0;i<65;i++) {
>          level_code = get_ue_code(gb,r->golomb_order);
> -        if(level_code >= ESCAPE_CODE) {
> +        if(level_code >= ESCAPE_CODE || level_code < 0) {

level_code < 0 is a bitstream error and this should not continue


>              run = ((level_code - ESCAPE_CODE) >> 1) + 1;
>              esc_code = get_ue_code(gb,esc_golomb_order);
>              level = esc_code + (run > r->max_run ? 1 : r->level_add[run]);
> @@ -234,7 +234,7 @@
>      for(block=0;block<4;block++) {
>          d = h->cy + h->luma_scan[block];
>          ff_cavs_load_intra_pred_luma(h, top, &left, block);
> -        h->intra_pred_l[h->pred_mode_Y[ff_cavs_scan3x3[block]]]
> +        h->intra_pred_l[FFMAX(h->pred_mode_Y[ff_cavs_scan3x3[block]], 0)]
>              (d, top, left, h->l_stride);

This probably should be a return -1 somewhere but i dont know where

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101212/5825faf4/attachment.pgp>



More information about the ffmpeg-devel mailing list