[Ffmpeg-devel] [PATCH] fix x86 asm in order to avoid textrels

Michael Niedermayer michaelni
Tue Jan 30 18:33:47 CET 2007


Hi

On Tue, Jan 30, 2007 at 05:37:36PM +0100, Luca Barbato wrote:
> Michael Niedermayer wrote:
> > 
> > this code is wrong , it can be used to write arbitrary data to an arbitrary
> > address, its ironic that this is written by someone with the name "pax team"
> > to be more precisse %%mm0 contains some pixels which have been decoded, they
> > can be set arbitrarily by using PCM macroblocks
> > %%mm0 is then written into %0 (a register after the patch) which is then later
> > used as base for writing 3 more decoded 32bit values
> > 
> > also the old code is not what is in
> > svn please dont send such trash to ffmpeg-dev
> 
> Now is
> 
> Tue Jan 30 17:31:53 CET 2007
> 
> The patch had been made yesterday against what was the current svn,
> atleast to my knowledge, my fault for not pushing it the exact time but
> 12hours later...

the patch contains:

diff -urp ffmpeg-old/libavcodec/i386/dsputil_mmx.c ffmpeg/libavcodec/i386/dsputil_mmx.c
--- ffmpeg-old/libavcodec/i386/dsputil_mmx.c    2007-01-30 01:09:30.000000000 +0100
+++ ffmpeg/libavcodec/i386/dsputil_mmx.c        2007-01-30 01:11:41.000000000 +0100
@@ -657,15 +657,14 @@ static inline void transpose4x4(uint8_t
         "punpckhwd %%mm2, %%mm1         \n\t"
         "movd  %%mm0, %0                \n\t"
         "punpckhdq %%mm0, %%mm0         \n\t"
-        "movd  %%mm0, %1                \n\t"
-        "movd  %%mm1, %2                \n\t"
+        "movd  %%mm0, (%0,%1)           \n\t"
+        "movd  %%mm1, (%0,%1,2)         \n\t"
         "punpckhdq %%mm1, %%mm1         \n\t"
-        "movd  %%mm1, %3                \n\t"
+        "lea (%1,%1,2), %1              \n\t"
+        "movd  %%mm1, (%0,%1)           \n\t"

-        : "=m" (*(uint32_t*)(dst + 0*dst_stride)),
-          "=m" (*(uint32_t*)(dst + 1*dst_stride)),
-          "=m" (*(uint32_t*)(dst + 2*dst_stride)),
-          "=m" (*(uint32_t*)(dst + 3*dst_stride))
+        : "=r" (*(uint32_t*)(dst)), "+r" (dst_stride)
+        :: "memory"
     );
 }

svn contains since r4764 up to HEAD (r7768) and 4764 was a tag->space change ...
static inline void transpose4x4(uint8_t *dst, uint8_t *src, int dst_stride, int src_stride){
    asm volatile( //FIXME could save 1 instruction if done as 8x4 ...
        "movd  %4, %%mm0                \n\t"
        "movd  %5, %%mm1                \n\t"
        "movd  %6, %%mm2                \n\t"
        "movd  %7, %%mm3                \n\t"
        "punpcklbw %%mm1, %%mm0         \n\t"
        "punpcklbw %%mm3, %%mm2         \n\t"
        "movq %%mm0, %%mm1              \n\t"
        "punpcklwd %%mm2, %%mm0         \n\t"
        "punpckhwd %%mm2, %%mm1         \n\t"
        "movd  %%mm0, %0                \n\t"
        "punpckhdq %%mm0, %%mm0         \n\t"
        "movd  %%mm0, %1                \n\t"
        "movd  %%mm1, %2                \n\t"
        "punpckhdq %%mm1, %%mm1         \n\t"
        "movd  %%mm1, %3                \n\t"

        : "=m" (*(uint32_t*)(dst + 0*dst_stride)),
          "=m" (*(uint32_t*)(dst + 1*dst_stride)),
          "=m" (*(uint32_t*)(dst + 2*dst_stride)),
          "=m" (*(uint32_t*)(dst + 3*dst_stride))
        :  "m" (*(uint32_t*)(src + 0*src_stride)),
           "m" (*(uint32_t*)(src + 1*src_stride)),
           "m" (*(uint32_t*)(src + 2*src_stride)),
           "m" (*(uint32_t*)(src + 3*src_stride))
    );
}



[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070130/3c749a3b/attachment.pgp>



More information about the ffmpeg-devel mailing list