[FFmpeg-devel] [PATCH] checkasm/hevc_pel: fix stack-buffer-overflow
"zhilizhao(赵志立)"
quinkblack at foxmail.com
Tue Sep 21 18:33:16 EEST 2021
> On Sep 21, 2021, at 10:40 PM, Andreas Rheinhardt <andreas.rheinhardt at outlook.com> wrote:
>
> Martin Storsjö:
>> On Tue, 21 Sep 2021, Zhao Zhili wrote:
>>
>>> ==225880==ERROR: AddressSanitizer: stack-buffer-overflow on address ...
>>> READ of size 2 at 0x7fffe49ab400 thread T0
>>> #0 0x18301da in put_hevc_qpel_hv_9
>>> src/libavcodec/hevcdsp_template.c:666
>>> #1 0x6c6bc4 in checkasm_check_hevc_qpel
>>> src/tests/checkasm/hevc_pel.c:97
>>> #2 0x6cecc8 in checkasm_check_hevc_pel
>>> src/tests/checkasm/hevc_pel.c:528
>>> ---
>>> tests/checkasm/hevc_pel.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/tests/checkasm/hevc_pel.c b/tests/checkasm/hevc_pel.c
>>> index ec24309081..3dc7cd9090 100644
>>> --- a/tests/checkasm/hevc_pel.c
>>> +++ b/tests/checkasm/hevc_pel.c
>>> @@ -34,7 +34,7 @@ static const int denoms[] = {0, 7, 12, -1 };
>>> static const int offsets[] = {0, 255, -1 };
>>>
>>> #define SIZEOF_PIXEL ((bit_depth + 7) / 8)
>>> -#define BUF_SIZE (2 * MAX_PB_SIZE * (2 * 4 + MAX_PB_SIZE))
>>> +#define BUF_SIZE (2 * MAX_PB_SIZE * (2 * 4 + MAX_PB_SIZE) + 8)
>>>
>>> #define randomize_buffers() \
>>> do { \
>>> --
>>> 2.31.1
>>
>> Probably ok (I haven't studied the issue, but this seems plausibly
>> correct).
>>
>
> I have also found this issue quite a while ago and am using this here as
> a workaround (it is the minimal set of changes that makes the test pass
> for me):
>
[…]
>
> But I have never ever investigated why these buffers and only these
> buffers need to be enlarged and whether there is an underlying bug (i.e.
> whether an access beyond the end of the buffer might happen in a
> non-test scenario). Have you?
>
I only did the math and test on the upper bound of 2* (src - (uint16_t*)la_buf0)
which src is `pixel *src` in put_hevc_qpel_hv. I didn’t tried to figure out how
the code works or how to make it less error prone.
ffmpeg cmd doesn’t show such error when decoding a HEVC sample with -cpuflags 0:
hevc (Main) (hev1 / 0x31766568), yuv420p10le(tv, progressive), 1920x1080
> - Andreas
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list