[FFmpeg-devel] [PATCH] Fix DV uninitialized reads

Baptiste Coudurier baptiste.coudurier
Tue Sep 29 20:56:43 CEST 2009


On 9/29/09 11:51 AM, Reimar D?ffinger wrote:
> On Tue, Sep 29, 2009 at 11:24:53AM -0700, Baptiste Coudurier wrote:
>> On 9/29/09 4:52 AM, Reimar D?ffinger wrote:
>>> On Mon, Sep 21, 2009 at 02:40:51PM +0200, Reimar D?ffinger wrote:
>>>> Hello,
>>>> I think this fixes the uninitialized data in the DV encoder that causes
>>>> sporadic "make test" failures, at least valgrind complains no longer.
>>>> Quick measurements with "time" indicate a slowdown by about 0.8%.
>>>> regression test values for the encoded files changes (memset to 0
>>>> instead of 0xff might avoid that though), but the decoded data
>>>> stays the same - so at least for the cases "make test" covers it is
>>>> correct.
>>>
>>> Ok, a different version.
>>> It uses s->sys->block_sizes even though I think it pointlessly bloats
>>> and complexifies the code, it memsets to 0xff still because the
>>> regression tests change anyway and the spec does not say anything about
>>> which value to use, and it returns -1 if the bitstream wrote too far,
>>> even though the return value is not checked anywhere.
>>
>> Humm, yet it bloats the code indeed, sorry, commit this patch with the
>> old check against size_in_bits.
>
> The bloat is partially due to other changes (like checking overread on
> bit-level, which I just realize is pointless), it is basically only the %
> s->sys->bpm it adds (though I find that very ugly).
> Which variant do you want, this one for example?:
>
> Index: libavcodec/dv.c
> ===================================================================
> --- libavcodec/dv.c     (revision 20081)
> +++ libavcodec/dv.c     (working copy)
> @@ -1102,8 +1102,17 @@
>               av_log(NULL, AV_LOG_ERROR, "ac bitstream overflow\n");
>       }
>
> -    for (j=0; j<5*s->sys->bpm; j++)
> +    for (j=0; j<5*s->sys->bpm; j++) {
> +       int pos;
> +       int size = pbs[j].size_in_bits>>  3;
>          flush_put_bits(&pbs[j]);
> +       pos = put_bits_count(&pbs[j])>>  3;
> +       if (pos>  size) {
> +           av_log(NULL, AV_LOG_ERROR, "bitstream written beyond buffer size\n");
> +           return -1;
> +       }
> +       memset(pbs[j].buf + pos, 0xff, size - pos);
> +    }
>
>       return 0;
>   }

Yes, this one is nice, I guess we do not have avctx available for av_log 
? If we don't, commit, we can add the context to av_log later.

-- 
Baptiste COUDURIER
Key fingerprint                 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
FFmpeg maintainer                                  http://www.ffmpeg.org



More information about the ffmpeg-devel mailing list