[FFmpeg-devel] [RFC] ff_huff_build_tree depends on uninitialized data+

Reimar Döffinger Reimar.Doeffinger
Fri Nov 30 18:57:31 CET 2007


Hello,
that function has the following code
>    cur_node = nb_codes;
>    for(i = 0; i < nb_codes*2-1; i += 2){
>        nodes[cur_node].sym = HNODE;
>        nodes[cur_node].count = nodes[i].count + nodes[i+1].count;
>        nodes[cur_node].n0 = i;
>        for(j = cur_node; j > 0; j--){
>            if(nodes[j].count > nodes[j-1].count ||


Only the first nb_codes of nodes.count must be initialized.
Assume that nb_codes == 1.
Then
> nodes[1].count = nodes[0].count + nodes[1].count;
will be executed, which is undefined.
And a few lines down, nodes[1].count is compared against nodes[0].count.
There are obviously load of ways to fix it, the simples being probably
to do
> nodes[2*nb_codes-1].count = 0;
somewhere before, but I am not sure if that is correct.
Could someone please look at it?
I think this might be what causes the crash in the vp6 codec in issue
275.

Greetings,
Reimar D?ffinger




More information about the ffmpeg-devel mailing list