[FFmpeg-cvslog] checkasm/hevc_pel: Fix stack buffer overreads

Andreas Rheinhardt git at videolan.org
Wed Sep 29 05:45:15 EEST 2021 

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Tue Sep 28 16:13:03 2021 +0200| [09408539f4ad5d79f437d9b4789c5e64ad9b424f] | committer: Andreas Rheinhardt

checkasm/hevc_pel: Fix stack buffer overreads

This patch increases several stack buffers in order to fix
stack-buffer-overflows (e.g. in put_hevc_qpel_uni_hv_9 in
line 814 of hevcdsp_template.c) detected with ASAN in the hevc_pel
checkasm test.
The buffers are increased by the minimal amount necessary
in order not to mask potential future bugs.

Reviewed-by: Martin Storsjö <martin at martin.st>
Reviewed-by: "zhilizhao(赵志立)" <quinkblack at foxmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09408539f4ad5d79f437d9b4789c5e64ad9b424f
---

 tests/checkasm/hevc_pel.c | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/tests/checkasm/hevc_pel.c b/tests/checkasm/hevc_pel.c
index ec24309081..43aa5cd084 100644
--- a/tests/checkasm/hevc_pel.c
+++ b/tests/checkasm/hevc_pel.c
@@ -40,10 +40,12 @@ static const int offsets[] = {0, 255, -1 };
     do {                                             \
         uint32_t mask = pixel_mask[bit_depth - 8];   \
         int k;                                       \
-        for (k = 0; k < BUF_SIZE; k += 4) {          \
+        for (k = 0; k < BUF_SIZE + SRC_EXTRA; k += 4) { \
             uint32_t r = rnd() & mask;               \
             AV_WN32A(buf0 + k, r);                   \
             AV_WN32A(buf1 + k, r);                   \
+            if (k >= BUF_SIZE)                       \
+                continue;                            \
             r = rnd();                               \
             AV_WN32A(dst0 + k, r);                   \
             AV_WN32A(dst1 + k, r);                   \
@@ -65,10 +67,13 @@ static const int offsets[] = {0, 255, -1 };
 #define src0 (buf0 + 2 * 4 * MAX_PB_SIZE) /* hevc qpel functions read data from negative src pointer offsets */
 #define src1 (buf1 + 2 * 4 * MAX_PB_SIZE)
 
+/* FIXME: Does the need for SRC_EXTRA for these tests indicate a bug? */
+#define SRC_EXTRA 8
+
 static void checkasm_check_hevc_qpel(void)
 {
-    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);
-    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]);
+    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]);
+    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]);
     LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]);
     LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]);
 
@@ -111,8 +116,8 @@ static void checkasm_check_hevc_qpel(void)
 
 static void checkasm_check_hevc_qpel_uni(void)
 {
-    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);
-    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]);
+    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]);
+    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]);
     LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]);
     LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]);
 
@@ -152,8 +157,8 @@ static void checkasm_check_hevc_qpel_uni(void)
 
 static void checkasm_check_hevc_qpel_uni_w(void)
 {
-    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);
-    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]);
+    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]);
+    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]);
     LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]);
     LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]);
 
@@ -200,8 +205,8 @@ static void checkasm_check_hevc_qpel_uni_w(void)
 
 static void checkasm_check_hevc_qpel_bi(void)
 {
-    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);
-    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]);
+    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]);
+    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]);
     LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]);
     LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]);
     LOCAL_ALIGNED_32(int16_t, ref0, [BUF_SIZE]);
@@ -244,8 +249,8 @@ static void checkasm_check_hevc_qpel_bi(void)
 
 static void checkasm_check_hevc_qpel_bi_w(void)
 {
-    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);
-    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE]);
+    LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE + SRC_EXTRA]);
+    LOCAL_ALIGNED_32(uint8_t, buf1, [BUF_SIZE + SRC_EXTRA]);
     LOCAL_ALIGNED_32(uint8_t, dst0, [BUF_SIZE]);
     LOCAL_ALIGNED_32(uint8_t, dst1, [BUF_SIZE]);
     LOCAL_ALIGNED_32(int16_t, ref0, [BUF_SIZE]);
@@ -294,6 +299,9 @@ static void checkasm_check_hevc_qpel_bi_w(void)
     report("qpel_bi_w");
 }
 
+#undef SRC_EXTRA
+#define SRC_EXTRA 0
+
 static void checkasm_check_hevc_epel(void)
 {
     LOCAL_ALIGNED_32(uint8_t, buf0, [BUF_SIZE]);

More information about the ffmpeg-cvslog mailing list