[XviD-devel] bug in xvid decoder when parsing input bitstream

Michael Militzer michael at xvid.org
Fri Sep 15 10:07:35 CEST 2006


Greg,

I believe you're right. Your proposed fix is on cvs head since a couple
of days.

Thanks,
Michael


Quoting Greg Handi <notarealaccount at yahoo.com>:

> I believe this is another bug (in decoder_decode):
>
>     if (coding_type == -3)
>       decoder_resize(dec);
>
> There is no check if the resize call had a memory error and tore down
> the various buffers and freed all the memory.  I think it should be
> like this instead:
>
>     if (coding_type == -3) {
>       int error = decoder_resize(dec);
>       if (error) return error;
>     }
>
> I'm not sure if I missed something that might need to occur before
> returning if the error occurs but it needs to return the error.
>
>
> --- Michael Militzer <michael at xvid.org> wrote:
>
>> Hello,
>>
>> We've committed a fix to bitstream.h file on cvs head. If
>> XVID_SAFE_BS_TAIL
>> flag is defined (disabled by default) a cross check is performed
>> before
>> accessing *(bs->tail+2).
>>
>> However, this additional check will cost performance. Hence, we
>> recommend
>> you should not use the XVID_SAFE_BS_TAIL flag but instead pad your
>> input
>> buffer to 8 bytes if possible. Only if not doable, you should try
>> XVID_SAFE_BS_TAIL.
>>
>> Regards,
>> Michael
>>
>>
>> Quoting liang jian <jianliang79 at gmail.com>:
>>
>> > Hello every one, I have found a bug in xvid decoder when parsing
>> input
>> > bitstream, this bug can be reproduced through the following steps:
>> >
>> > 1) prepare a 16 x 16 image with YUY2 video format, clear it with
>> black
>> > color(y = 16, cb = cr = 128)
>> >
>> > 2) encode this image into an I-frame using xvid(simple profile
>> level 3), the
>> > coded stream is 52 bytes long.
>> >
>> > 3) allocate one page using VirtualAlloc (use mmap in linux), copy
>> the
>> > encoded stream to the end of this page.
>> >
>> > 4) decode the encoded stream in that page using xvid, an read
>> access
>> > violation occurs in BitstreamSkip() function when it execute the
>> following
>> > line:
>> >    tmp = *((uint32_t *) bs->tail + 2);
>> >
>> > BitstreamSkip() function update bit position in the bitstream, and
>> always
>> > read a uint32_t value which is next to the uint32_t value contains
>> the
>> > current bit position, when decoder reach the end of the stream,
>> > BitstreamSkip() will unavoidably read the memory which address is
>> bigger
>> > than the last byte of the input stream(and in the above case this
>> addreass
>> > is an invalid address).
>> >
>> >
>> > the code is attached.
>>
>>
>>
>>
>> _______________________________________________
>> XviD-devel mailing list
>> XviD-devel at xvid.org
>> http://list.xvid.org/mailman/listinfo/xvid-devel
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> XviD-devel mailing list
> XviD-devel at xvid.org
> http://list.xvid.org/mailman/listinfo/xvid-devel
>






More information about the XviD-devel mailing list