[XviD-devel] Possible bug in bitstream/mbcoding.c

Martin Thierer xvid-devel@xvid.org
Mon, 30 Sep 2002 20:20:38 +0200 

On Monday 30 September 2002 16:29, skal wrote:
> On Sat, 2002-09-28 at 22:25, Martin Thierer wrote:
> > Please note that this code hasn't changed since snapshot 20020728, but
> > as little changes in the code also make the problem go away for me,
> > that hasn't much to say. It's probably just a matter of a few bytes if
> > an illegal page is hit or not.
>
> 	Maybe running Valgrind on your faulty binary will help, here.
> 	(http://developer.kde.org/~sewardj). Sounds like a nasty
> 	memory corruption...

I did that. It reports an illegal read of size byte. Unfortunatly valgrind 
doesn't report the exact location, as libxvidcore is compiled without 
debug info. (When I do, it doesn't crash anymore :-) But as I said, I'm 
pretty sure that it crashes at the access of "max_level_ptr[run]".

I took a closer look at the whole init_vls_tables function now, and while I 
still don't understand what it is supposed to do I suspect that it's 
buggy. Please forgive me, if I'm wrong :-)

Things that seem odd to me:

1. The arrays "intra_table" and "inter_table" are both of size 524032. But: 
If I see it correct, in every iteration of the inner loop a value is 
written by vlc[intra]++. That would be 2*(2048-(-2047))*64=524160 elements 
for each table, meaning the arrays would be too small.

2. From the inner loop:

  if ((abs(level) <= max_level_ptr[run]) && 
      (run <= (uint32_t)  max_run_ptr[abs(level)])) {
    vlc[intra]->code = 0;
    vlc[intra]->len = 0;
    goto loop_end;
  } else {
    if (level > 0)	// correct level
      level -= max_level_ptr[run];
    else
      level += max_level_ptr[run];

Is this really correct? It would make sense to me if the first condition in 
the above if-clause failed, but not if only the second one fails, as 
"level" then changes its sign.

3. Also from the inner loop, a little further down:

    run -= max_run_ptr[abs(level)] + 1;	// and change run

Here "run" becomes negative when run <= max_run_ptr[abs(level)]. This 
happens if both "abs(level)" and "abs(abs(level)-max_level_ptr[run])" are 
> max_level_ptr[run] (as otherwise one of the earlier if-conditions would 
have been true). But as "max_level" is defined as "static char 
max_level[4][64]" it's illegal to use a negativ subscript as it is done 
then:

    if ((abs(level) <= max_level_ptr[run]) &&
        (run <= (uint32_t) max_run_ptr[abs(level)])) {

This is where it crashes for me.

As I said, I don't understand what the code is supposed to do, so I 
couldn't really suggest a solution.

Bye,

Martin