[FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder

Sun Jul 21 04:16:13 EEST 2024

On 20/07/2024 01:42, Michael Niedermayer wrote:
> On Thu, May 30, 2024 at 04:37:08AM +0200, Lynne via ffmpeg-devel wrote:
>> This commit adds a decoder for the frequency-domain part of USAC.
>>
>> Changes over version 4:
>>   - Actually reset entropy decoding upon configuration.
>>   - Support for LFE channels.
>>
>> Lynne (10):
>>    channel_layout: add new channel positions supported by xHE-AAC
>>    aacdec: move from scalefactor ranged arrays to flat arrays
>>    aacdec: expose channel layout related functions
>>    aacdec: expose decode_tns
>>    aacdec_dsp: implement 768-point transform and windowing
>>    aactab: add deemphasis tables for USAC
>>    aactab: add tables for the new USAC arithmetic coder
>>    aactab: add new scalefactor offset tables for 96/768pt windows
>>    aacdec: add a decoder for AAC USAC (xHE-AAC)
>>    fate: add tests for xHE-AAC
>>
>>   libavcodec/aac/Makefile              |    3 +-
>>   libavcodec/aac/aacdec.c              |  371 +++---
>>   libavcodec/aac/aacdec.h              |  219 +++-
>>   libavcodec/aac/aacdec_ac.c           |  208 ++++
>>   libavcodec/aac/aacdec_ac.h           |   54 +
>>   libavcodec/aac/aacdec_dsp_template.c |  162 ++-
>>   libavcodec/aac/aacdec_fixed.c        |    2 +
>>   libavcodec/aac/aacdec_float.c        |    4 +
>>   libavcodec/aac/aacdec_latm.h         |   14 +-
>>   libavcodec/aac/aacdec_lpd.c          |  198 ++++
>>   libavcodec/aac/aacdec_lpd.h          |   33 +
>>   libavcodec/aac/aacdec_usac.c         | 1608 ++++++++++++++++++++++++++
>>   libavcodec/aac/aacdec_usac.h         |   37 +
>>   libavcodec/aactab.c                  |  560 +++++++++
>>   libavcodec/aactab.h                  |   22 +
>>   libavcodec/sinewin_fixed_tablegen.c  |    2 +
>>   libavcodec/sinewin_fixed_tablegen.h  |    4 +
>>   libavutil/channel_layout.c           |    4 +
>>   libavutil/channel_layout.h           |    8 +
>>   tests/fate/aac.mak                   |    8 +
>>   20 files changed, 3286 insertions(+), 235 deletions(-)
>>   create mode 100644 libavcodec/aac/aacdec_ac.c
>>   create mode 100644 libavcodec/aac/aacdec_ac.h
>>   create mode 100644 libavcodec/aac/aacdec_lpd.c
>>   create mode 100644 libavcodec/aac/aacdec_lpd.h
>>   create mode 100644 libavcodec/aac/aacdec_usac.c
>>   create mode 100644 libavcodec/aac/aacdec_usac.h
> 
> This patchset seems to introduce some issue
> Ill mail you the testcase
> 
> Running: 70425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6007809271988224
> =================================================================
> ==87684==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f465944c648 at pc 0x0000004df24c bp 0x7fffbe95eac0 sp 0x7fffbe95eab8
> WRITE of size 8 at 0x7f465944c648 thread T0
>      #0 0x4df24b in frame_configure_elements ffmpeg/libavcodec/aac/aacdec.c:201:44
>      #1 0x5083d7 in aac_decode_frame_int ffmpeg/libavcodec/aac/aacdec.c:2398:16
>      #2 0x4fb930 in aac_decode_frame ffmpeg/libavcodec/aac/aacdec.c:2481:15
>      #3 0x68f21f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20
>      #4 0x68f21f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:600
>      #5 0x68f21f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c:631
>      #6 0x68dc4d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15
>      #7 0x4d1e65 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:534:25
>      #8 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
>      #9 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
>      #10 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
>      #11 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
>      #12 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
>      #13 0x42402d in _start (ffmpeg/tools/target_dec_aac_fixed_fuzzer+0x42402d)
> 
> 0x7f465944c648 is located 40520 bytes inside of 642496-byte region [0x7f4659442800,0x7f46594df5c0)
> freed by thread T0 here:
>      #0 0x49bd2d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
>      #1 0x4dceb0 in che_configure ffmpeg/libavcodec/aac/aacdec.c:168:9
>      #2 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15
>      #3 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11
>      #4 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20
>      #5 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12
>      #6 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20
>      #7 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12
>      #8 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19
>      #9 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15
>      #10 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
>      #11 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
>      #12 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
>      #13 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
>      #14 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
> 
> previously allocated by thread T0 here:
>      #0 0x49ca47 in posix_memalign /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3
>      #1 0x1615548 in av_malloc ffmpeg/libavutil/mem.c:107:9
>      #2 0x1615ca7 in av_mallocz ffmpeg/libavutil/mem.c:258:17
>      #3 0x60b5af in ff_aac_sbr_ctx_alloc_init_fixed ffmpeg/libavcodec/aacsbr_template.c:74:30
>      #4 0x4dcd96 in che_configure ffmpeg/libavcodec/aac/aacdec.c:149:23
>      #5 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15
>      #6 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11
>      #7 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20
>      #8 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12
>      #9 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20
>      #10 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12
>      #11 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19
>      #12 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15
>      #13 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
>      #14 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
>      #15 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
>      #16 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
>      #17 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
> 
> SUMMARY: AddressSanitizer: heap-use-after-free ffmpeg/libavcodec/aac/aacdec.c:201:44 in frame_configure_elements
> Shadow bytes around the buggy address:
>    0x0fe94b281870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b281880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b281890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b2818a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b2818b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0fe94b2818c0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
>    0x0fe94b2818d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b2818e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b2818f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b281900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>    0x0fe94b281910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>    Addressable:           00
>    Partially addressable: 01 02 03 04 05 06 07
>    Heap left redzone:       fa
>    Freed heap region:       fd
>    Stack left redzone:      f1
>    Stack mid redzone:       f2
>    Stack right redzone:     f3
>    Stack after return:      f5
>    Stack use after scope:   f8
>    Global redzone:          f9
>    Global init order:       f6
>    Poisoned by user:        f7
>    Container overflow:      fc
>    Array cookie:            ac
>    Intra object redzone:    bb
>    ASan internal:           fe
>    Left alloca redzone:     ca
>    Right alloca redzone:    cb
>    Shadow gap:              cc
> ==87684==ABORTING

Thanks, looks simple, I'll send a patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xA2FEA5F03F034464.asc
Type: application/pgp-keys
Size: 624 bytes
Desc: OpenPGP public key
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240721/9a1e7c97/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240721/9a1e7c97/attachment.sig>