[FFmpeg-trac] #4587(avcodec:new): ouf-of-boundry memory access in cabac(H264)

FFmpeg trac at avcodec.org
Fri Jun 5 05:37:32 CEST 2015 

#4587: ouf-of-boundry memory access in cabac(H264)
-------------------------------------+-----------------------------------
             Reporter:  rakexue      |                    Owner:
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:  avcodec
              Version:  unspecified  |               Resolution:
             Keywords:  H264 crash   |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-----------------------------------

Comment (by rakexue):

 Then close
 {{{
 #define get_cabac_inline get_cabac_inline_arm
 }}}
  to use plain C

 {{{
 static void refill2(CABACContext *c){
     int i, x;

     x= c->low ^ (c->low-1);
     i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)];

     x= -CABAC_MASK;

 #if CABAC_BITS == 16
         x+= (c->bytestream[0]<<9) + (c->bytestream[1]<<1);
 #else
         x+= c->bytestream[0]<<1;
 #endif

     c->low += x<<i;
     if (c->bytestream >= c->bytestream_end)
        av_log(NULL, AV_LOG_ERROR, "c->bytestream = %x, c->bytestream_end =
 %x \n", c->bytestream, c->bytestream_end);
 #if !UNCHECKED_BITSTREAM_READER
     if (c->bytestream < c->bytestream_end)
 #endif
         c->bytestream += CABAC_BITS/8;
 }

 static av_always_inline int get_cabac_inline(CABACContext *c, uint8_t *
 const state){
     int s = *state;
     int RangeLPS= ff_h264_lps_range[2*(c->range&0xC0) + s];
     int bit, lps_mask;

     c->range -= RangeLPS;
     lps_mask= ((c->range<<(CABAC_BITS+1)) - c->low)>>31;

     c->low -= (c->range<<(CABAC_BITS+1)) & lps_mask;
     c->range += (RangeLPS - c->range) & lps_mask;

     s^=lps_mask;
     *state= (ff_h264_mlps_state+128)[s];
     bit= s&1;

     lps_mask= ff_h264_norm_shift[c->range];
     c->range<<= lps_mask;
     c->low  <<= lps_mask;
     if(!(c->low & CABAC_MASK))
         refill2(c);
     return bit;
 }
 #endif
 }}}
 and some logs:

 {{{
  if (c->bytestream >= c->bytestream_end)
        av_log(NULL, AV_LOG_ERROR, "c->bytestream = %x, c->bytestream_end =
 %x \n", c->bytestream, c->bytestream_end);
 }}}

 get the following output:

 {{{
 06-05 11:30:46.490: I/fromffmpeg(7229): c->bytestream = 5c0ad51f,
 c->bytestream_end = 5c0ad51f
 06-05 11:30:47.004: I/fromffmpeg(7229): c->bytestream = 5cdb754a,
 c->bytestream_end = 5cdb754a
 06-05 11:30:47.830: I/fromffmpeg(7229): c->bytestream = 5c3be7cb,
 c->bytestream_end = 5c3be7cb
 06-05 11:30:48.170: I/fromffmpeg(7229): c->bytestream = 5cdb7ab5,
 c->bytestream_end = 5cdb7ab5
 06-05 11:30:48.460: I/fromffmpeg(7229): c->bytestream = 5c0ad02d,
 c->bytestream_end = 5c0ad02d
 06-05 11:30:48.674: I/fromffmpeg(7229): c->bytestream = 5c420337,
 c->bytestream_end = 5c420337
 06-05 11:30:49.404: I/fromffmpeg(7229): c->bytestream = 5c0ad104,
 c->bytestream_end = 5c0ad104
 06-05 11:30:49.567: I/fromffmpeg(7229): c->bytestream = 5c3be106,
 c->bytestream_end = 5c3be106
 06-05 11:30:50.537: I/fromffmpeg(7229): c->bytestream = 5c420482,
 c->bytestream_end = 5c420482
 06-05 11:30:50.647: I/fromffmpeg(7229): c->bytestream = 5c3be35e,
 c->bytestream_end = 5c3be35e
 06-05 11:30:50.710: I/fromffmpeg(7229): c->bytestream = 5cdb7481,
 c->bytestream_end = 5cdb7481
 06-05 11:30:51.217: I/fromffmpeg(7229): c->bytestream = 5c4202a3,
 c->bytestream_end = 5c4202a3
 06-05 11:30:51.804: I/fromffmpeg(7229): c->bytestream = 5c0ad331,
 c->bytestream_end = 5c0ad331
 06-05 11:30:52.517: I/fromffmpeg(7229): c->bytestream = 5c3be272,
 c->bytestream_end = 5c3be272
 06-05 11:30:52.610: I/fromffmpeg(7229): c->bytestream = 5c0ad2b8,
 c->bytestream_end = 5c0ad2b8
 06-05 11:30:52.807: I/fromffmpeg(7229): c->bytestream = 5c420052,
 c->bytestream_end = 5c420052
 06-05 11:30:52.884: I/fromffmpeg(7229): c->bytestream = 5c0ad7ae,
 c->bytestream_end = 5c0ad7ae
 06-05 11:30:52.974: I/fromffmpeg(7229): c->bytestream = 5cdb7048,
 c->bytestream_end = 5cdb7048
 06-05 11:30:53.180: I/fromffmpeg(7229): c->bytestream = 5c3be3f8,
 c->bytestream_end = 5c3be3f8
 06-05 11:30:53.944: I/fromffmpeg(7229): c->bytestream = 5c0ad088,
 c->bytestream_end = 5c0ad088
 06-05 11:30:54.087: I/fromffmpeg(7229): c->bytestream = 5c0ad192,
 c->bytestream_end = 5c0ad192
 06-05 11:30:54.277: I/fromffmpeg(7229): c->bytestream = 5c4200b0,
 c->bytestream_end = 5c4200b0
 06-05 11:30:54.650: I/fromffmpeg(7229): c->bytestream = 5c3be8cf,
 c->bytestream_end = 5c3be8cf
 06-05 11:30:54.687: I/fromffmpeg(7229): c->bytestream = 5c42034e,
 c->bytestream_end = 5c42034e
 06-05 11:30:59.490: I/fromffmpeg(7229): c->bytestream = 5c42004d,
 c->bytestream_end = 5c42004d
 06-05 11:31:00.397: I/fromffmpeg(7229): c->bytestream = 5c3be068,
 c->bytestream_end = 5c3be068
 06-05 11:31:00.674: I/fromffmpeg(7229): c->bytestream = 5c3be705,
 c->bytestream_end = 5c3be705
 06-05 11:31:01.301: I/fromffmpeg(7229): c->bytestream = 5c0ad2fe,
 c->bytestream_end = 5c0ad2fe
 06-05 11:31:01.331: I/fromffmpeg(7229): c->bytestream = 5c3be76b,
 c->bytestream_end = 5c3be76b
 06-05 11:31:01.607: I/fromffmpeg(7229): c->bytestream = 5c3be8c2,
 c->bytestream_end = 5c3be8c2
 }}}
 It shows that refill2 accesses c->bytestream_end[0] and
 c->bytestream_end[1].

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4587#comment:3>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list