On Wed, Feb 01, 2017 at 09:56:41AM +0100, Steinar H. Gunderson wrote:
> On Wed, Feb 01, 2017 at 02:17:05AM +0100, Andreas Cadhalpun wrote:
> >> Would you mind sharing an input where this actually triggers? None of the
> >> samples I have seem to trigger this, so I suppose it's some sort of fuzzed
> >> input.
> > Indeed it is. I've sent you a sample.
>
> Thanks; I see what is happening now (and I should have fuzzed SHQ1 too, not
> just SHQ0 :-) ).
>
> The relevant part is the construction of the (little-endian) alpha VLC:
>
> if (!run) {
> /* 0 -> 0. */
> run_code[run] = 0;
> run_bits[run] = 1;
> } else if (run <= 4) {
> /* 10xx -> xx plus 1. */
> run_code[run] = ((run - 1) << 2) | 1;
> run_bits[run] = 4;
> } else {
> /* 111xxxxxxx -> xxxxxxx. */
> run_code[run] = (run << 3) | 7;
> run_bits[run] = 10;
> }
>
> The sample in question encodes 1110000000, which is a legal code for 0,
> but we haven't told the VLC this (since simply 0 is a much more logical
> way of doing it), so it returns -1 (signaling invalid). We will see the same
> problem in level_code/level_bits (a few lines further down), but it's not
> used for indexing, so it's not a crash issue.
> > My preference would be to simply decode this as 0 instead of returning; > it would be both the safest and the fastest. Is there a way we can do this? yes also please check if there are more "holes" in the VLC table (this is easy to check by summing the ranges covered by codes ... which would sum to 1 if there are no holes) ff_init_vlc_sparse() we seem to be missing a INIT_*VLC_STATIC for that but that should be trivial to add thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Opposition brings concord. Out of discord comes the fairest harmony. -- Heraclitus
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
