[FFmpeg-devel] [PATCH] too late bounds check in mpeg1_decode_block_intra

Reimar Döffinger Reimar.Doeffinger
Thu Apr 10 18:40:04 CEST 2008

On Thu, Apr 10, 2008 at 06:26:25PM +0200, Michael Niedermayer wrote:
> On Thu, Apr 10, 2008 at 05:35:03PM +0200, Reimar D?ffinger wrote:
> > Hello,
> > someone on MPlayer-users seems to have problems due to this. While I
> > can't test myself, the code seems obviously wrong to me.
> > Attached is my suggestion to fix it, though there are other
> > possibilities, like increasing the size of intra_scantable.permutated
> > to 256 and maybe more.
> First i dont see a problem and would thus like to see how exactly something
> can go wrong. there are 64 entries (raster_end) after "permutated" and i dont
> see how the code could read past them. Its maybe not beautifull but as long
> as there is no bug iam against making to code more complex.

I just assumed that the raster_end entries might be > 63. And those fields
maybe should have an additional comment then if we decide that the code
should be allowed to assume their order.
The only additional information I have so far is that it only happens
with MPlayer playing from /dev/video0, that it does not happen with a
file obtained via -dumpstream and this backtrace:

0x084404c6 in mpeg_decode_mb (s=0x88eb020, block=<value optimized out>) at mpeg12.c:1162
1162                    level= (level*qscale*quant_matrix[j])>>4;
(gdb) bt
#0  0x084404c6 in mpeg_decode_mb (s=0x88eb020, block=<value optimized out>) at mpeg12.c:1162
#1  0x08442560 in mpeg_decode_slice (s1=0x88eb020, mb_y=0, buf=0xbfc4ce54, buf_size=1873) at mpeg12.c:1748
#2  0x084438a0 in decode_chunks (avctx=0x88eacb0, picture=0x88eabd0, data_size=0xbfc4cf64, buf=0xb6afb008 "", buf_size=1988)
    at mpeg12.c:2409
#3  0x084443b3 in mpeg_decode_frame (avctx=0x88eacb0, data=0x88eabd0, data_size=0xbfc4cf64, buf=0xb6afb008 "", buf_size=1988)
    at mpeg12.c:2289
#4  0x082b2d4a in avcodec_decode_video (avctx=0x88eacb0, picture=0x88eabd0, got_picture_ptr=0xbfc4cf64, buf=0xb6afb008 "",
    buf_size=1988) at utils.c:945
#5  0x081534a7 in decode (sh=0x88e0038, data=0xb6afb008, len=1988, flags=<value optimized out>) at vd_ffmpeg.c:773
#6  0x0811ba0e in decode_video (sh_video=0x88e0038, start=0xb6afb008 "", in_size=1988, drop_frame=0, pts=0.033366665244102478)
    at dec_video.c:369
#7  0x08093d8b in main (argc=12, argv=0xbfc4f234) at mplayer.c:2287

Reimar D?ffinger

More information about the ffmpeg-devel mailing list