[FFmpeg-devel] [PATCH 2/4] checkasm: Implement helpers for defining and checking padded rects

Mon Mar 31 16:05:27 EEST 2025

On Sat, 29 Mar 2025, Michael Niedermayer wrote:

> On Wed, Mar 26, 2025 at 12:30:13PM +0200, Martin Storsjö wrote:
>> This backports similar functionality from dav1d, from commits
>> 35d1d011fda4a92bcaf42d30ed137583b27d7f6d and
>> d130da9c315d5a1d3968d278bbee2238ad9051e7.
>>
>> This allows detecting writes out of bounds, on all 4 sides of
>> the intended destination rectangle.
>>
>> The bounds checking also can optionally allow small overwrites
>> (up to a specified alignment), while still checking for larger
>> overwrites past the intended allowed region.
>> ---
>>  tests/checkasm/checkasm.c | 89 ++++++++++++++++++++++++++++++---------
>>  tests/checkasm/checkasm.h | 55 ++++++++++++++++++++----
>>  2 files changed, 116 insertions(+), 28 deletions(-)
>>
>> diff --git a/tests/checkasm/checkasm.c b/tests/checkasm/checkasm.c
>> index c6d641c52b..a5b862fe52 100644
>> --- a/tests/checkasm/checkasm.c
>> +++ b/tests/checkasm/checkasm.c
>> @@ -1168,37 +1168,88 @@ void checkasm_report(const char *name, ...)
>>      }
>>  }
>>
>> +static int check_err(const char *file, int line,
>> +                     const char *name, int w, int h,
>> +                     int *err)
>> +{
>> +    if (*err)
>> +        return 0;
>> +    if (!checkasm_fail_func("%s:%d", file, line))
>> +        return 1;
>> +    *err = 1;
>> +    fprintf(stderr, "%s (%dx%d):\n", name, w, h);
>> +    return 0;
>> +}
>> +
>>  #define DEF_CHECKASM_CHECK_FUNC(type, fmt) \
>>  int checkasm_check_##type(const char *file, int line, \
>>                            const type *buf1, ptrdiff_t stride1, \
>>                            const type *buf2, ptrdiff_t stride2, \
>> -                          int w, int h, const char *name) \
>> +                          int w, int h, const char *name, \
>> +                          int align_w, int align_h, \
>> +                          int padding) \
>>  { \
>
>> +    int aligned_w = (w + align_w - 1) & ~(align_w - 1); \
>> +    int aligned_h = (h + align_h - 1) & ~(align_h - 1); \
>
> this can overflow
> feel free to fix in a seperate patch

Feel free to propose a patch for how you'd prefer to have it fixed then... 
I don't see this as a real world problem - w and h are bounded by the 
tests themselves, and likewise the alignments - I don't see us having 
tests using buffers with a width near INT32_MAX?

// Martin