[XviD-devel] bug in xvid decoder when parsing input bitstream
Michael Militzer
michael at xvid.org
Sun Sep 3 20:22:47 CEST 2006
Hello,
We've committed a fix to bitstream.h file on cvs head. If XVID_SAFE_BS_TAIL
flag is defined (disabled by default) a cross check is performed before
accessing *(bs->tail+2).
However, this additional check will cost performance. Hence, we recommend
you should not use the XVID_SAFE_BS_TAIL flag but instead pad your input
buffer to 8 bytes if possible. Only if not doable, you should try
XVID_SAFE_BS_TAIL.
Regards,
Michael
Quoting liang jian <jianliang79 at gmail.com>:
> Hello every one, I have found a bug in xvid decoder when parsing input
> bitstream, this bug can be reproduced through the following steps:
>
> 1) prepare a 16 x 16 image with YUY2 video format, clear it with black
> color(y = 16, cb = cr = 128)
>
> 2) encode this image into an I-frame using xvid(simple profile level 3), the
> coded stream is 52 bytes long.
>
> 3) allocate one page using VirtualAlloc (use mmap in linux), copy the
> encoded stream to the end of this page.
>
> 4) decode the encoded stream in that page using xvid, an read access
> violation occurs in BitstreamSkip() function when it execute the following
> line:
> tmp = *((uint32_t *) bs->tail + 2);
>
> BitstreamSkip() function update bit position in the bitstream, and always
> read a uint32_t value which is next to the uint32_t value contains the
> current bit position, when decoder reach the end of the stream,
> BitstreamSkip() will unavoidably read the memory which address is bigger
> than the last byte of the input stream(and in the above case this addreass
> is an invalid address).
>
>
> the code is attached.
More information about the XviD-devel
mailing list