[FFmpeg-devel] [PATCH v5 00/10] aacdec: add a native xHE-AAC decoder

Michael Niedermayer michael at niedermayer.cc
Sat Jul 20 02:42:07 EEST 2024 

On Thu, May 30, 2024 at 04:37:08AM +0200, Lynne via ffmpeg-devel wrote:
> This commit adds a decoder for the frequency-domain part of USAC.
> 
> Changes over version 4:
>  - Actually reset entropy decoding upon configuration.
>  - Support for LFE channels.
> 
> Lynne (10):
>   channel_layout: add new channel positions supported by xHE-AAC
>   aacdec: move from scalefactor ranged arrays to flat arrays
>   aacdec: expose channel layout related functions
>   aacdec: expose decode_tns
>   aacdec_dsp: implement 768-point transform and windowing
>   aactab: add deemphasis tables for USAC
>   aactab: add tables for the new USAC arithmetic coder
>   aactab: add new scalefactor offset tables for 96/768pt windows
>   aacdec: add a decoder for AAC USAC (xHE-AAC)
>   fate: add tests for xHE-AAC
> 
>  libavcodec/aac/Makefile              |    3 +-
>  libavcodec/aac/aacdec.c              |  371 +++---
>  libavcodec/aac/aacdec.h              |  219 +++-
>  libavcodec/aac/aacdec_ac.c           |  208 ++++
>  libavcodec/aac/aacdec_ac.h           |   54 +
>  libavcodec/aac/aacdec_dsp_template.c |  162 ++-
>  libavcodec/aac/aacdec_fixed.c        |    2 +
>  libavcodec/aac/aacdec_float.c        |    4 +
>  libavcodec/aac/aacdec_latm.h         |   14 +-
>  libavcodec/aac/aacdec_lpd.c          |  198 ++++
>  libavcodec/aac/aacdec_lpd.h          |   33 +
>  libavcodec/aac/aacdec_usac.c         | 1608 ++++++++++++++++++++++++++
>  libavcodec/aac/aacdec_usac.h         |   37 +
>  libavcodec/aactab.c                  |  560 +++++++++
>  libavcodec/aactab.h                  |   22 +
>  libavcodec/sinewin_fixed_tablegen.c  |    2 +
>  libavcodec/sinewin_fixed_tablegen.h  |    4 +
>  libavutil/channel_layout.c           |    4 +
>  libavutil/channel_layout.h           |    8 +
>  tests/fate/aac.mak                   |    8 +
>  20 files changed, 3286 insertions(+), 235 deletions(-)
>  create mode 100644 libavcodec/aac/aacdec_ac.c
>  create mode 100644 libavcodec/aac/aacdec_ac.h
>  create mode 100644 libavcodec/aac/aacdec_lpd.c
>  create mode 100644 libavcodec/aac/aacdec_lpd.h
>  create mode 100644 libavcodec/aac/aacdec_usac.c
>  create mode 100644 libavcodec/aac/aacdec_usac.h

This patchset seems to introduce some issue
Ill mail you the testcase

Running: 70425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6007809271988224
=================================================================
==87684==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f465944c648 at pc 0x0000004df24c bp 0x7fffbe95eac0 sp 0x7fffbe95eab8
WRITE of size 8 at 0x7f465944c648 thread T0
    #0 0x4df24b in frame_configure_elements ffmpeg/libavcodec/aac/aacdec.c:201:44
    #1 0x5083d7 in aac_decode_frame_int ffmpeg/libavcodec/aac/aacdec.c:2398:16
    #2 0x4fb930 in aac_decode_frame ffmpeg/libavcodec/aac/aacdec.c:2481:15
    #3 0x68f21f in decode_simple_internal ffmpeg/libavcodec/decode.c:429:20
    #4 0x68f21f in decode_simple_receive_frame ffmpeg/libavcodec/decode.c:600
    #5 0x68f21f in decode_receive_frame_internal ffmpeg/libavcodec/decode.c:631
    #6 0x68dc4d in avcodec_send_packet ffmpeg/libavcodec/decode.c:721:15
    #7 0x4d1e65 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:534:25
    #8 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #9 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #10 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #11 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #12 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #13 0x42402d in _start (ffmpeg/tools/target_dec_aac_fixed_fuzzer+0x42402d)

0x7f465944c648 is located 40520 bytes inside of 642496-byte region [0x7f4659442800,0x7f46594df5c0)
freed by thread T0 here:
    #0 0x49bd2d in free /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x4dceb0 in che_configure ffmpeg/libavcodec/aac/aacdec.c:168:9
    #2 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15
    #3 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11
    #4 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20
    #5 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12
    #6 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20
    #7 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12
    #8 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19
    #9 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15
    #10 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #11 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #12 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #13 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #14 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

previously allocated by thread T0 here:
    #0 0x49ca47 in posix_memalign /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3
    #1 0x1615548 in av_malloc ffmpeg/libavutil/mem.c:107:9
    #2 0x1615ca7 in av_mallocz ffmpeg/libavutil/mem.c:258:17
    #3 0x60b5af in ff_aac_sbr_ctx_alloc_init_fixed ffmpeg/libavcodec/aacsbr_template.c:74:30
    #4 0x4dcd96 in che_configure ffmpeg/libavcodec/aac/aacdec.c:149:23
    #5 0x4d9587 in ff_aac_output_configure ffmpeg/libavcodec/aac/aacdec.c:492:15
    #6 0x576abd in ff_aac_usac_config_decode ffmpeg/libavcodec/aac/aacdec_usac.c:509:11
    #7 0x500a1a in decode_audio_specific_config_gb ffmpeg/libavcodec/aac/aacdec.c:1050:20
    #8 0x4e71ef in decode_audio_specific_config ffmpeg/libavcodec/aac/aacdec.c:1094:12
    #9 0x4e596a in ff_aac_decode_init ffmpeg/libavcodec/aac/aacdec.c:1188:20
    #10 0x518aee in ff_aac_decode_init_fixed ffmpeg/libavcodec/aac/aacdec_fixed.c:104:12
    #11 0x66ca49 in avcodec_open2 ffmpeg/libavcodec/avcodec.c:326:19
    #12 0x4cff68 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dec_fuzzer.c:460:15
    #13 0x192519d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #14 0x1919d72 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #15 0x191ef71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #16 0x1919a50 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #17 0x7f465c594082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-use-after-free ffmpeg/libavcodec/aac/aacdec.c:201:44 in frame_configure_elements
Shadow bytes around the buggy address:
  0x0fe94b281870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b281880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b281890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b2818a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b2818b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe94b2818c0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0fe94b2818d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b2818e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b2818f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b281900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe94b281910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==87684==ABORTING


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240720/4fad4ede/attachment.sig>

More information about the ffmpeg-devel mailing list