[FFmpeg-devel] [PATCH] speedhq: make sure the block index is not negative

Michael Niedermayer michaelni at gmx.at
Wed Feb 1 11:53:06 EET 2017 

On Wed, Feb 01, 2017 at 09:56:41AM +0100, Steinar H. Gunderson wrote:
> On Wed, Feb 01, 2017 at 02:17:05AM +0100, Andreas Cadhalpun wrote:
> >> Would you mind sharing an input where this actually triggers? None of the
> >> samples I have seem to trigger this, so I suppose it's some sort of fuzzed
> >> input.
> > Indeed it is. I've sent you a sample.
> 
> Thanks; I see what is happening now (and I should have fuzzed SHQ1 too, not
> just SHQ0 :-) ).
> 
> The relevant part is the construction of the (little-endian) alpha VLC:
> 
>         if (!run) {
>             /* 0 -> 0. */
>             run_code[run] = 0;
>             run_bits[run] = 1;
>         } else if (run <= 4) {
>             /* 10xx -> xx plus 1. */
>             run_code[run] = ((run - 1) << 2) | 1;
>             run_bits[run] = 4;
>         } else {
>             /* 111xxxxxxx -> xxxxxxx. */
>             run_code[run] = (run << 3) | 7;
>             run_bits[run] = 10;
>         }
> 
> The sample in question encodes 1110000000, which is a legal code for 0,
> but we haven't told the VLC this (since simply 0 is a much more logical
> way of doing it), so it returns -1 (signaling invalid). We will see the same
> problem in level_code/level_bits (a few lines further down), but it's not
> used for indexing, so it's not a crash issue.
> 

> My preference would be to simply decode this as 0 instead of returning;
> it would be both the safest and the fastest. Is there a way we can do this?

yes

also please check if there are more "holes" in the VLC table
(this is easy to check by summing the ranges covered by codes ...
 which  would sum to 1 if there are no holes)

ff_init_vlc_sparse()
we seem to be missing a INIT_*VLC_STATIC for that but that should be
trivial to add

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Opposition brings concord. Out of discord comes the fairest harmony.
-- Heraclitus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170201/ca3abaa2/attachment.sig>

More information about the ffmpeg-devel mailing list