[FFmpeg-devel] [HACK] fix CAVS decoder crashes

Michael Niedermayer michaelni
Sat Dec 18 02:44:40 CET 2010


On Sun, Dec 12, 2010 at 05:04:58PM +0100, Reimar D?ffinger wrote:
> Hello,
> I have the suspicion this decoder needs heavy fuzzing testing.
> Anyway, trying to play http://samples.mplayerhq.hu/AVS/AVSFileFormat/AVSFileFormat.es
> results in crashes which below hack "fixes".
> Index: libavcodec/cavs.h
> ===================================================================
> --- libavcodec/cavs.h   (revision 25928)
> +++ libavcodec/cavs.h   (working copy)
> @@ -242,6 +242,7 @@
>  extern const cavs_vector ff_cavs_dir_mv;
>  
>  static inline void modify_pred(const int_fast8_t *mod_table, int *mode) {
> +    if (*mode < 0) *mode = 0;
>      *mode = mod_table[*mode];
>      if(*mode < 0) {
>          av_log(NULL, AV_LOG_ERROR, "Illegal intra prediction mode\n");
> Index: libavcodec/cavsdec.c
> ===================================================================
> --- libavcodec/cavsdec.c        (revision 25928)
> +++ libavcodec/cavsdec.c        (working copy)
> @@ -122,7 +122,7 @@
>  
>      for(i=0;i<65;i++) {
>          level_code = get_ue_code(gb,r->golomb_order);
> -        if(level_code >= ESCAPE_CODE) {
> +        if(level_code >= ESCAPE_CODE || level_code < 0) {
>              run = ((level_code - ESCAPE_CODE) >> 1) + 1;
>              esc_code = get_ue_code(gb,esc_golomb_order);
>              level = esc_code + (run > r->max_run ? 1 : r->level_add[run]);

> @@ -234,7 +234,7 @@
>      for(block=0;block<4;block++) {
>          d = h->cy + h->luma_scan[block];
>          ff_cavs_load_intra_pred_luma(h, top, &left, block);
> -        h->intra_pred_l[h->pred_mode_Y[ff_cavs_scan3x3[block]]]
> +        h->intra_pred_l[FFMAX(h->pred_mode_Y[ff_cavs_scan3x3[block]], 0)]

as stefan has no time, some comments that might help debuging
The intra pred stuff (likely) has to be >= 0 for intra blocks
It (likely) is allowed to be negative for non intra blocks
i suspect the bug is where this becomes inconsistent (aka intra with negative)
a few asserts() might help finding this

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20101218/65bf7db1/attachment.pgp>



More information about the ffmpeg-devel mailing list