avcodec/h263dec: Clean intra tables in decoder, not ff_mpv_reconstruct_mb

This is a more appropriate place than a function designed to reconstruct a macroblock. It furthermore limits these checks to the codecs that actually need it (and removes it from e.g. RV10 and RV20 -- the latter actually uses these buffers, but only for intra-frames, so they don't need to be cleaned manually). This furthermore means that ff_mpv_reconstruct_mb() and therefore also the error-resilience code no longer needs block_index set. This fixes a crash caused by 65d5ccb808 when ff_mpv_reconstruct_mb() is called by VC-1 code without block_index being initialized properly (VC-1 uses and initializes block_index itself normally). Fixes: 69814/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4868081575329792 Fixes: heap-buffer-overflow Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2025-08-04 22:03:09 +02:00 · 2024-06-20 14:51:17 +02:00
parent 58f9e497dc
commit 5826166836
2 changed files with 10 additions and 1 deletions
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@ -271,6 +271,15 @@ static int decode_slice(MpegEncContext *s)
            ff_tlog(NULL, "Decoding MB at %dx%d\n", s->mb_x, s->mb_y);
            ret = s->decode_mb(s, s->block);

+            if (s->h263_pred || s->h263_aic) {
+                int mb_xy = s->mb_y * s->mb_stride + s->mb_x;
+                if (!s->mb_intra) {
+                    if (s->mbintra_table[mb_xy])
+                        ff_clean_intra_table_entries(s);
+                } else
+                    s->mbintra_table[mb_xy] = 1;
+            }
+
            if (s->pict_type != AV_PICTURE_TYPE_B)
                ff_h263_update_motion_val(s);

--- a/libavcodec/mpv_reconstruct_mb_template.c
+++ b/libavcodec/mpv_reconstruct_mb_template.c
@ -61,6 +61,7 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],

    s->cur_pic.qscale_table[mb_xy] = s->qscale;

+#if IS_ENCODER
    /* update DC predictors for P macroblocks */
    if (!s->mb_intra) {
        if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic)) {
@ -70,7 +71,6 @@ void mpv_reconstruct_mb_internal(MpegEncContext *s, int16_t block[12][64],
    } else if (is_mpeg12 != DEFINITELY_MPEG12_H261 && (s->h263_pred || s->h263_aic))
        s->mbintra_table[mb_xy] = 1;

-#if IS_ENCODER
    if ((s->avctx->flags & AV_CODEC_FLAG_PSNR) || s->frame_skip_threshold || s->frame_skip_factor ||
        !((s->intra_only || s->pict_type == AV_PICTURE_TYPE_B) &&
          s->avctx->mb_decision != FF_MB_DECISION_RD))  // FIXME precalc