[PATCH] Re: [Ffmpeg-devel] FFmpeg: H.264 decoding issue
Michael Niedermayer
michaelni
Tue Feb 20 19:57:46 CET 2007
Hi
On Tue, Feb 20, 2007 at 12:39:34AM +0100, Matthias Hopf wrote:
> On Feb 09, 07 00:25:12 +0100, Reinhard Nissl wrote:
> > I've uploaded a H.264 sample file which isn't decoded properly. The file
> > seems to be OK as it can be properly decoded on Windows using
> > Cyberlink's HD264Pack.
> >
> > mplayer -demuxer h264es -vc ffh264 /video/luxe-hd.es.h264
> >
> > [h264 @ 0x84cd0a0]concealing 2720 DC, 2720 AC, 2720 MV errors
> > Xlib: unexpected async reply (sequence 0x70)!
> > Segmentation fault
>
> Find two patches attached that should fix *some* of h264 PAFF issues.
> Note that they don't fix PAFF at all, but add safety checks.
>
> The issues fixed by these patches are IMHO not security relevant. While
> the first is a buffer overflow, it only overwrites frames, and only with
> data from frame edges, which are not user specificable AFAIK. The second
> is a plain old fashioned NULL pointer access, so appart from DoS no
> security issue.
>
> Note also that the file I tested this with plays fine now on my
> Pentium M, but still crashes on my Athlon XP. Though I guess this is
> some side effect and not an architecture specific problem. So these are
> certainly only the first of a series of patches.
>
> Please test with your file
>
> Matthias
>
> --
> Matthias Hopf <mhopf at suse.de> __ __ __
> Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ mat at mshopf.de
> Phone +49-911-74053-715 __) |_| __) |__ labs www.mshopf.de
> Index: libavcodec/utils.c
> ===================================================================
> --- libavcodec/utils.c (revision 8020)
> +++ libavcodec/utils.c (working copy)
> @@ -278,7 +278,7 @@
>
> if(!(s->flags&CODEC_FLAG_EMU_EDGE)){
> w+= EDGE_WIDTH*2;
> - h+= EDGE_WIDTH*2;
> + h+= EDGE_WIDTH*2+1; // +1 for potential interlace (MPV_frame_start)
why?
[...]
> Index: libavcodec/mpegvideo.c
> ===================================================================
> --- libavcodec/mpegvideo.c (revision 8020)
> +++ libavcodec/mpegvideo.c (working copy)
> @@ -3990,11 +3990,11 @@
> if(lowres_flag){
> h264_chroma_mc_func *op_pix = s->dsp.put_h264_chroma_pixels_tab;
>
> - if (s->mv_dir & MV_DIR_FORWARD) {
> + if ((s->mv_dir & MV_DIR_FORWARD) && s->last_picture.data[0]) {
> MPV_motion_lowres(s, dest_y, dest_cb, dest_cr, 0, s->last_picture.data, op_pix);
> op_pix = s->dsp.avg_h264_chroma_pixels_tab;
> }
> - if (s->mv_dir & MV_DIR_BACKWARD) {
> + if ((s->mv_dir & MV_DIR_BACKWARD) && s->next_picture.data[0]) {
> MPV_motion_lowres(s, dest_y, dest_cb, dest_cr, 1, s->next_picture.data, op_pix);
> }
> }else{
> @@ -4004,12 +4004,12 @@
> }else{
> op_pix = s->dsp.put_no_rnd_pixels_tab;
> }
> - if (s->mv_dir & MV_DIR_FORWARD) {
> + if ((s->mv_dir & MV_DIR_FORWARD) && s->last_picture.data[0]) {
> MPV_motion(s, dest_y, dest_cb, dest_cr, 0, s->last_picture.data, op_pix, op_qpix);
> op_pix = s->dsp.avg_pixels_tab;
> op_qpix= s->me.qpel_avg;
> }
> - if (s->mv_dir & MV_DIR_BACKWARD) {
> + if ((s->mv_dir & MV_DIR_BACKWARD) && s->next_picture.data[0]) {
> MPV_motion(s, dest_y, dest_cb, dest_cr, 1, s->next_picture.data, op_pix, op_qpix);
> }
this change is wrong, the bug is outside MPV_decode_mb(), its not
MPV_decode_mb() job to check the bitstreams validity
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No human being will ever know the Truth, for even if they happen to say it
by chance, they would not even known they had done so. -- Xenophanes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070220/58b3c8b3/attachment.pgp>
More information about the ffmpeg-devel
mailing list