[FFmpeg-devel] [PATCH 1/2] avcodec/g2meet: Check if adjusted pixel was on the stack
Michael Niedermayer
michael at niedermayer.cc
Tue Sep 10 17:06:32 EEST 2019
On Mon, Sep 09, 2019 at 11:03:48PM +0200, Tomas Härdin wrote:
> mån 2019-09-09 klockan 22:16 +0200 skrev Michael Niedermayer:
> > This basically checks if a pixel that was coded with prediction
> > and residual could have been stored using a previous case.
> > This avoids basically a string of 0 symbols stored in less than
> > 50 bytes to hit a O(n²) codepath.
> >
> > Fixes: Timeout (too slow to wait -> immedeatly)
> > Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4895946310680576
>
> go2unpleasantplaces indeed
>
> Something tells me there are more ways than this to hit that codepath,
yes, certainly, the question is how much input bytes that needs.
Because if it needs alot this is still a significant improvment.
Now why could it need more bytes?
The cache loops over all values in an entry and if the same value
is in it multiple times that is rather slow and causes no symbol
to be read. But if there are different values in an entry each
will cause a symbol to be read moving the bitstream forward a tiny
bit.
We eliminate/reduce (or at least thats the idea) to have duplicate values
in the cache. So that should change the input symbols from n to n*n
still how much that is in bytes would require further analysis,
But do you have a better idea than this patch ?
If not i would suggest to apply it and see what the fuzzer finds
with this.
Or we could add a counter and a threshold to the cache and
if its used more than constant*width*height then error out
The problem with g2m is its cache and stack design is integrated
into the bitstream. So fixing this in an obvious way would
change the bitstream, which of course doesnt work...
thx
> and I've made my feelings about hacks like this known already.
>
> /Tomas
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190910/a0e3eee4/attachment.sig>
More information about the ffmpeg-devel
mailing list