virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-04 22:03:09 +02:00
Code Issues Releases Activity

avcodec/h263dec: Clean intra tables in decoder, not ff_mpv_reconstruct_mb

Browse Source 
This is a more appropriate place than a function designed
to reconstruct a macroblock. It furthermore limits these checks
to the codecs that actually need it (and removes it from e.g.
RV10 and RV20 -- the latter actually uses these buffers, but
only for intra-frames, so they don't need to be cleaned
manually).

This furthermore means that ff_mpv_reconstruct_mb() and therefore
also the error-resilience code no longer needs block_index set.
This fixes a crash caused by 65d5ccb808
when ff_mpv_reconstruct_mb() is called by VC-1 code without
block_index being initialized properly (VC-1 uses and initializes
block_index itself normally).

Fixes: 69814/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4868081575329792
Fixes: heap-buffer-overflow

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This commit is contained in:
Andreas Rheinhardt
2024-06-20 14:51:17 +02:00
parent 58f9e497dc
commit 5826166836
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/h263dec.c
View File

@ -271,6 +271,15 @@ static int decode_slice(MpegEncContext *s)
ff_tlog(NULL, "Decoding MB at %dx%d\n", s->mb_x, s->mb_y); ff_tlog(NULL, "Decoding MB at %dx%d\n", s->mb_x, s->mb_y);
ret = s->decode_mb(s, s->block); ret = s->decode_mb(s, s->block);
if (s->h263_pred || s->h263_aic) {
int mb_xy = s->mb_y * s->mb_stride + s->mb_x;
if (!s->mb_intra) {
if (s->mbintra_table[mb_xy])
ff_clean_intra_table_entries(s);
} else
s->mbintra_table[mb_xy] = 1;
}
if (s->pict_type != AV_PICTURE_TYPE_B) if (s->pict_type != AV_PICTURE_TYPE_B)
ff_h263_update_motion_val(s); ff_h263_update_motion_val(s);

2
libavcodec/mpv_reconstruct_mb_template.c
View File

@ -61,6 +61,7 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
s->cur_pic.qscale_table[mb_xy] = s->qscale; s->cur_pic.qscale_table[mb_xy] = s->qscale;
#if IS_ENCODER
/* update DC predictors for P macroblocks */ /* update DC predictors for P macroblocks */
if (!s->mb_intra) { if (!s->mb_intra) {
if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic)) { if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic)) {
@ -70,7 +71,6 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
} else if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic)) } else if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic))
s->mbintra_table[mb_xy] = 1; s->mbintra_table[mb_xy] = 1;
#if IS_ENCODER
if ((s->avctx->flags & AV_CODEC_FLAG_PSNR) || s->frame_skip_threshold || s->frame_skip_factor || if ((s->avctx->flags & AV_CODEC_FLAG_PSNR) || s->frame_skip_threshold || s->frame_skip_factor ||
!((s->intra_only || s->pict_type == AV_PICTURE_TYPE_B) && !((s->intra_only || s->pict_type == AV_PICTURE_TYPE_B) &&
s->avctx->mb_decision != FF_MB_DECISION_RD)) // FIXME precalc s->avctx->mb_decision != FF_MB_DECISION_RD)) // FIXME precalc