[FFmpeg-devel] [PATCH] avcodec/vc1: fix out-of-bounds reference pixel replication

Michael Niedermayer michael at niedermayer.cc
Tue May 29 04:08:15 EEST 2018

On Sun, May 27, 2018 at 10:27:39PM +0200, Jerome Borsboom wrote:
> Out-of-bounds reference pixel replication should take into account the frame
> coding mode of the reference frame(s), not the frame coding mode of the
> current frame.
> Signed-off-by: Jerome Borsboom <jerome.borsboom at carpalis.nl>
> ---
> This should fix the remaining issue with the SA10180.vc1 test file.
>  libavcodec/vc1_mc.c | 659 ++++++++++++++++++++++++++++++----------------------
>  1 file changed, 379 insertions(+), 280 deletions(-)

This causes segfaults

Program received signal SIGSEGV, Segmentation fault.
0x0000000000c36920 in ff_emu_edge_vfix18_sse ()
(gdb) bt
Python Exception <type 'exceptions.ImportError'> No module named gdb.frames: 
#0  0x0000000000c36920 in ff_emu_edge_vfix18_sse ()
#1  0x00000000009e6426 in emulated_edge_mc (dst=<optimized out>, src=<optimized out>, dst_stride=<optimized out>, src_stride=<optimized out>, block_w=<optimized out>, block_h=<optimized out>, src_x=<optimized out>, src_y=<optimized out>, w=<optimized out>, h=<optimized out>, vfix_tbl=<optimized out>, 
    v_extend_var=<optimized out>, hfix_tbl=<optimized out>, h_extend_var=<optimized out>) at libavcodec/x86/videodsp_init.c:195
#2  0x00000000009e6289 in emulated_edge_mc_sse2 (buf=0x1db3541 "", src=0x300 <error: Cannot access memory at address 0x300>, buf_stride=140737352976960, src_stride=768, block_w=<optimized out>, block_h=<optimized out>, src_x=-1, src_y=-2, w=720, h=240) at libavcodec/x86/videodsp_init.c:256
#3  0x0000000000913cee in ff_vc1_mc_1mv (v=0x1d01200, dir=<optimized out>) at libavcodec/vc1_mc.c:323
#4  0x00000000009086d4 in vc1_decode_p_mb_intfi (v=<optimized out>) at libavcodec/vc1_block.c:1758
#5  0x0000000000906516 in vc1_decode_p_blocks (v=<optimized out>) at libavcodec/vc1_block.c:2796
#6  0x000000000091b1c8 in vc1_decode_frame (avctx=0x1c46500, data=0x1c91ec0, got_frame=0x7fffffffd6c4, avpkt=<optimized out>) at libavcodec/vc1dec.c:1042
#7  0x00000000006ec6fb in decode_simple_internal (avctx=0x1c46500, frame=0x1c91ec0) at libavcodec/decode.c:398
#8  0x00000000006ec647 in decode_simple_receive_frame (avctx=0x1c46500, frame=0x1c91ec0) at libavcodec/decode.c:594
#9  0x00000000006ea0b2 in decode_receive_frame_internal (avctx=<optimized out>, frame=<optimized out>) at libavcodec/decode.c:612
#10 0x00000000006e9e7d in avcodec_send_packet (avctx=0x1c46500, avpkt=<optimized out>) at libavcodec/decode.c:674
#11 0x000000000042abda in decode (avctx=0x1c46500, frame=0x1c92600, got_frame=0x7fffffffd954, pkt=0x300) at fftools/ffmpeg.c:2234
#12 0x000000000042a0e1 in decode_video (ist=0x1c46c40, pkt=0x7fffffffd960, got_output=0x7fffffffd954, duration_pts=0x7fffffffd958, eof=0, decode_failed=0x7fffffffd950) at fftools/ffmpeg.c:2378
#13 0x00000000004234bd in process_input_packet (ist=0x1c46c40, pkt=0x7fffffffdcc0, no_eof=0) at fftools/ffmpeg.c:2619
#14 0x0000000000427574 in process_input (file_index=<optimized out>) at fftools/ffmpeg.c:4457
#15 0x000000000042263d in transcode_step () at fftools/ffmpeg.c:4577
#16 0x0000000000421081 in transcode () at fftools/ffmpeg.c:4631
#17 0x00000000004207b5 in main (argc=<optimized out>, argv=<optimized out>) at fftools/ffmpeg.c:4838

rax            0x0	0
rbx            0x1	1
rcx            0x300	768
rdx            0x7ffff7ee4a40	140737352976960
rsi            0x300	768
rdi            0x1db3541	31143233
rbp            0x7fffffffd390	0x7fffffffd390
rsp            0x7fffffffd338	0x7fffffffd338
r8             0x2	2
r9             0x23	35
r10            0x7ffff7ee4a40	140737352976960
r11            0x1db3540	31143232
r12            0x300	768
r13            0x13	19
r14            0x25	37
r15            0x13	19
rip            0xc36920	0xc36920 <ff_emu_edge_vfix18_sse+16>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

   0x0000000000c36900 <ff_emu_edge_vfix17_sse+80>:	(bad)  
   0x0000000000c36901 <ff_emu_edge_vfix17_sse+81>:	movd   %mm0,0xd(%rdi)
   0x0000000000c36905 <ff_emu_edge_vfix17_sse+85>:	add    %rsi,%rdi
   0x0000000000c36908 <ff_emu_edge_vfix17_sse+88>:	dec    %rax
   0x0000000000c3690b <ff_emu_edge_vfix17_sse+91>:	jne    0xc368fe <ff_emu_edge_vfix17_sse+78>
   0x0000000000c3690d <ff_emu_edge_vfix17_sse+93>:	repz retq 
   0x0000000000c3690f <ff_emu_edge_vfix17_sse+95>:	nop
   0x0000000000c36910 <ff_emu_edge_vfix18_sse+0>:	mov    0x8(%rsp),%rax
   0x0000000000c36915 <ff_emu_edge_vfix18_sse+5>:	sub    %r9,%rax
   0x0000000000c36918 <ff_emu_edge_vfix18_sse+8>:	sub    %r8,%r9
   0x0000000000c3691b <ff_emu_edge_vfix18_sse+11>:	test   %r8,%r8
   0x0000000000c3691e <ff_emu_edge_vfix18_sse+14>:	je     0xc36936 <ff_emu_edge_vfix18_sse+38>
=> 0x0000000000c36920 <ff_emu_edge_vfix18_sse+16>:	movups (%rdx),%xmm0
   0x0000000000c36923 <ff_emu_edge_vfix18_sse+19>:	movd   0xe(%rdx),%mm0
   0x0000000000c36927 <ff_emu_edge_vfix18_sse+23>:	movups %xmm0,(%rdi)
   0x0000000000c3692a <ff_emu_edge_vfix18_sse+26>:	movd   %mm0,0xe(%rdi)
   0x0000000000c3692e <ff_emu_edge_vfix18_sse+30>:	add    %rsi,%rdi
   0x0000000000c36931 <ff_emu_edge_vfix18_sse+33>:	dec    %r8
   0x0000000000c36934 <ff_emu_edge_vfix18_sse+36>:	jne    0xc36927 <ff_emu_edge_vfix18_sse+23>
   0x0000000000c36936 <ff_emu_edge_vfix18_sse+38>:	movups (%rdx),%xmm0
   0x0000000000c36939 <ff_emu_edge_vfix18_sse+41>:	movd   0xe(%rdx),%mm0
   0x0000000000c3693d <ff_emu_edge_vfix18_sse+45>:	movups %xmm0,(%rdi)

Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No human being will ever know the Truth, for even if they happen to say it
by chance, they would not even known they had done so. -- Xenophanes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180529/c8571cdd/attachment.sig>

More information about the ffmpeg-devel mailing list