Merge pull request #1 from webmproject/master#1
Closed
bear101 wants to merge 1 commit intowebmproject:masterfrom
Closed
Merge pull request #1 from webmproject/master#1bear101 wants to merge 1 commit intowebmproject:masterfrom
bear101 wants to merge 1 commit intowebmproject:masterfrom
Conversation
Merge webm
jack2015
pushed a commit
to jack2015/libvpx
that referenced
this pull request
Aug 24, 2022
this was added in: 7beafef vp9: Allow for disabling loopfilter per spatial layer but the test doesn't zero initialize its svc_params_ member. fixes the use of an uninitialized value, reported by valgrind and integer sanitizer: [ RUN ] VP9/RcInterfaceSvcTest.Svc/0 ==1064682== Conditional jump or move depends on uninitialised value(s) ==1064682== at 0x1C5624: loopfilter_frame (vp9_encoder.c:3285) ==1064682== by 0x1C9B54: encode_frame_to_data_rate (vp9_encoder.c:5595) ==1064682== by 0x1CA2EE: SvcEncode (vp9_encoder.c:5789) ==1064682== by 0x1CEA01: vp9_get_compressed_data (vp9_encoder.c:7891) ==1064682== by 0x185F0E: encoder_encode (vp9_cx_iface.c:1437) ==1064682== by 0x1503BB: vpx_codec_encode (vpx_encoder.c:208) vp9/encoder/vp9_svc_layercontext.c:362:26: runtime error: implicit conversion from type 'int' of value -1 (32-bit, signed) to type 'LOOPFILTER_CONTROL' changed the value to 4294967295 (32-bit, unsigned) #0 0x558925f45377 in vp9_restore_layer_context vp9/encoder/vp9_svc_layercontext.c:362:26 webmproject#1 0x558925ef89fd in vp9_get_compressed_data vp9/encoder/vp9_encoder.c:7781:5 #2 0x558925e3ef3e in encoder_encode vp9/vp9_cx_iface.c:1437:20 Bug: b/229626362 Change-Id: I33d244be7752c68b71efa9c62ca45d6b202ec761
jack2015
pushed a commit
to jack2015/libvpx
that referenced
this pull request
Aug 26, 2022
Fix errors reported by UBSan diagnostics: 1. /vp9/encoder/vp9_pickmode.c:308:29: unsigned integer overflow: 99 - 100 cannot be represented in type 'unsigned int' 2. /vp9/encoder/vp9_pickmode.c:330:27: unsigned integer overflow: 21976 - 21978 cannot be represented in type 'unsigned int' 3. /vp9/encoder/vp9_pickmode.c:468:13: unsigned integer overflow: 18852144 - 18852149 cannot be represented in type 'unsigned int' (Notice that line numbers might vary a bit because fixes have been applied incrementally i.e. fix for error webmproject#1 affects line number reported in #2) Fix by calculating difference instead of wrapping around to a value near maximum. Test: Cuttlefish webrtc with VP9 codec Change-Id: I4f85712028647e915a4e2da31e4b0a266e9e2705
tanersener
pushed a commit
to arthenica/libvpx
that referenced
this pull request
Mar 5, 2023
This reverts commit 360e906. This causes ASan errors: [ RUN ] VP9/TestVectorTest.MD5Match/1 ================================================================= ==837858==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffff82ecad40 at pc 0x000000c494d4 bp 0xffffe1695800 sp 0xffffe16957f8 READ of size 16 at 0xffff82ecad40 thread T0 #0 0xc494d0 in vpx_d117_predictor_32x32_neon (test_libvpx+0xc494d0) webmproject#1 0x1040b34 in vp9_predict_intra_block (test_libvpx+0x1040b34) #2 0xf8feec in decode_block (test_libvpx+0xf8feec) webmproject#3 0xf8f588 in decode_partition (test_libvpx+0xf8f588) webmproject#4 0xf7be5c in vp9_decode_frame (test_libvpx+0xf7be5c) ... Address 0xffff82ecad40 is located in stack of thread T0 at offset 64 in frame #0 0x103fd3c in vp9_predict_intra_block (test_libvpx+0x103fd3c) This frame has 2 object(s): [32, 64) 'left_col.i' <== Memory access at offset 64 overflows this variable [96, 176) 'above_data.i' Change-Id: I058213364617dfe1036126c33a3307f8288d9ae0
tanersener
pushed a commit
to arthenica/libvpx
that referenced
this pull request
Mar 5, 2023
This function causes a heap overflow in the tests:
[ RUN ] NEON/VpxSseTest.RefSse/0
=================================================================
==876922==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xffff8949d903 at pc 0x000000dd95d4 bp 0xfffffdd7f260 sp 0xfffffdd7f258
READ of size 8 at 0xffff8949d903 thread T0
#0 0xdd95d0 in vpx_get4x4sse_cs_neon
vpx_dsp/arm/variance_neon.c:556:10
webmproject#1 0x9d4894 in (anonymous namespace)::MainTestClass<unsigned int
(*)(unsigned char const*, int, unsigned char const*,
int)>::RefTestSse() test/variance_test.cc:531:5
#2 0x9d4894 in (anonymous
namespace)::VpxSseTest_RefSse_Test::TestBody()
test/variance_test.cc:772:30
...
0xffff8949d903 is located 3 bytes to the right of 16-byte region
[0xffff8949d8f0,0xffff8949d900)
allocated by thread T0 here:
#0 0x5fd050 in operator new[](unsigned long) (test_libvpx+0x5fd050)
webmproject#1 0x9d3e04 in (anonymous namespace)::MainTestClass<unsigned int
(*)(unsigned char const*, int, unsigned char const*,
int)>::SetUp() test/variance_test.cc:299:12
Bug: webm:1794
Change-Id: I4bc681eb9a436743ef8bfe2a2abae59ce754309c
tanersener
pushed a commit
to arthenica/libvpx
that referenced
this pull request
Mar 5, 2023
This causes various buffer overflows in the tests:
[ RUN ] NEON/SixtapPredictTest.TestWithPresetData/0
=================================================================
==22346==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000012b4a5b at pc 0x000000df0f60 bp 0xffffcf6e64b0 sp 0xffffcf6e64a8
READ of size 8 at 0x0000012b4a5b thread T0
#0 0xdf0f5c in vp8_sixtap_predict16x16_neon
vp8/common/arm/neon/sixtappredict_neon.c:1507:13
webmproject#1 0x8819e4 in (anonymous
namespace)::SixtapPredictTest_TestWithPresetData_Test::TestBody()
test/predict_test.cc:293:3
...
0x0000012b4a5b is located 2 bytes to the right of global variable
'kTestData' defined in '../test/predict_test.cc:237:24' (0x12b48a0) of
size 441
[ RUN ] NEON/SixtapPredictTest.TestWithRandomData/0
=================================================================
==22338==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xffff8b5321fb at pc 0x000000df0f60 bp 0xfffff7e0cf30 sp 0xfffff7e0cf28
READ of size 8 at 0xffff8b5321fb thread T0
#0 0xdf0f5c in vp8_sixtap_predict16x16_neon
vp8/common/arm/neon/sixtappredict_neon.c:1507:13
webmproject#1 0x87d4c0 in (anonymous
namespace)::PredictTestBase::TestWithRandomData(void (*)(unsigned
char*, int, int, int, unsigned char*, int))
test/predict_test.cc:170:9
...
0xffff8b5321fb is located 2 bytes to the right of 441-byte region
[0xffff8b532040,0xffff8b5321f9)
allocated by thread T0 here:
#0 0x5fd4f0 in operator new[](unsigned long) (test_libvpx+0x5fd4f0)
webmproject#1 0x87c2e0 in (anonymous namespace)::PredictTestBase::SetUp()
test/predict_test.cc:47:12
#2 0x87d074 in non-virtual thunk to (anonymous
namespace)::PredictTestBase::SetUp() test/predict_test.cc
...
Bug: webm:1795
Change-Id: I32213a381eef91547d00f88acf90f1cf2ec2ea75
jack2015
pushed a commit
to jack2015/libvpx
that referenced
this pull request
Mar 9, 2023
Fixes a -fsanitize=undefined warning:
vpx_dsp/arm/vpx_convolve_copy_neon.c:29:26: runtime error: load of
misaligned address 0xffffa8242bea for type 'const uint32_t' (aka 'const
unsigned int'), which requires 4 byte alignment
0xffffa8242bea: note: pointer points here
88 81 7d 7d 7d 7d 7d 81 81 7d 81 80 87 97 a8 ab a0 91 ...
^
#0 0xb0447c in vpx_convolve_copy_neon
vpx_dsp/arm/vpx_convolve_copy_neon.c:29:26
webmproject#1 0x12285c8 in inter_predictor vp9/common/vp9_reconinter.h:29:3
#2 0x1228430 in dec_build_inter_predictors
vp9/decoder/vp9_decodeframe.c
...
Change-Id: Iaec4ac2a400b6e6db72d12e5a7acb316262b12a7
jack2015
pushed a commit
to jack2015/libvpx
that referenced
this pull request
Mar 9, 2023
vpx_highbd_8_sub_pixel_variance4x4_neon
vpx_highbd_8_sub_pixel_variance4x8_neon
vpx_highbd_10_sub_pixel_variance4x4_neon
vpx_highbd_10_sub_pixel_variance4x8_neon
vpx_highbd_12_sub_pixel_variance4x4_neon
vpx_highbd_12_sub_pixel_variance4x8_neon
all cause heap overflows of the form:
[ RUN ] NEON/VpxHBDSubpelVarianceTest.Ref/24
=================================================================
==450528==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xffff8311a571 at pc 0x0000010ca52c bp 0xffffc63e96b0 sp 0xffffc63e96a8
READ of size 8 at 0xffff8311a571 thread T0
#0 0x10ca528 in load_unaligned_u16q vpx_dsp/arm/mem_neon.h:176:3
webmproject#1 0x10ca528 in highbd_var_filter_block2d_bil_w4
vpx_dsp/arm/highbd_subpel_variance_neon.c:49:21
#2 0x10ca528 in vpx_highbd_10_sub_pixel_variance4x8_neon
vpx_dsp/arm/highbd_subpel_variance_neon.c:257:1
...
0xffff8311a571 is located 0 bytes to the right of 113-byte region
[0xffff8311a500,0xffff8311a571)
allocated by thread T0 here:
#0 0x5f18b0 in malloc (test_libvpx+0x5f18b0)
webmproject#1 0xce4f90 in vpx_memalign vpx_mem/vpx_mem.c:62:10
#2 0xce4f90 in vpx_malloc vpx_mem/vpx_mem.c:70:40
webmproject#3 0xa4ad44 in (anonymous namespace)::SubpelVarianceTest<unsigned
int (*)(unsigned char const*, int, int, int, unsigned char
const*, int, unsigned int*)>::SetUp() test/variance_test.cc:586:14
Bug: webm:1796
Change-Id: I39f7f936bae2bcbbe1f803fb10375ec02d1c1277
jack2015
pushed a commit
to jack2015/libvpx
that referenced
this pull request
Mar 9, 2023
vpx_highbd_8_sub_pixel_avg_variance4x4_neon
vpx_highbd_8_sub_pixel_avg_variance4x8_neon
vpx_highbd_10_sub_pixel_avg_variance4x4_neon
vpx_highbd_10_sub_pixel_avg_variance4x8_neon
vpx_highbd_12_sub_pixel_avg_variance4x4_neon
vpx_highbd_12_sub_pixel_avg_variance4x8_neon
all cause heap overflows of the form:
i[ RUN ] NEON/VpxHBDSubpelAvgVarianceTest.Ref/33
=================================================================
==535205==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xffff95bb0b89 at pc 0x00000116dabc bp 0xffffd09f6430 sp 0xffffd09f6428
READ of size 8 at 0xffff95bb0b89 thread T0
#0 0x116dab8 in load_unaligned_u16q vpx_dsp/arm/mem_neon.h:176:3
webmproject#1 0x116dab8 in highbd_var_filter_block2d_bil_w4
vpx_dsp/arm/highbd_subpel_variance_neon.c:49:21
#2 0x116dab8 in vpx_highbd_8_sub_pixel_avg_variance4x4_neon
vpx_dsp/arm/highbd_subpel_variance_neon.c:543:1
...
0xffff95bb0b89 is located 0 bytes to the right of 73-byte region
[0xffff95bb0b40,0xffff95bb0b89)
allocated by thread T0 here:
#0 0x5f18b0 in malloc (test_libvpx+0x5f18b0)
webmproject#1 0xce4a40 in vpx_memalign vpx_mem/vpx_mem.c:62:10
#2 0xce4a40 in vpx_malloc vpx_mem/vpx_mem.c:70:40
webmproject#3 0xa52238 in (anonymous namespace)::SubpelVarianceTest<unsigned
int (*)(unsigned char const*, int, int, int, unsigned char
const*, int, unsigned int*, unsigned char
const*)>::SetUp()
test/variance_test.cc:586:14
...
This is the same issue as:
e33d4c2 disable vpx_highbd_*_sub_pixel_variance4x{4,8}_neon
They have highbd_var_filter_block2d_bil_w4 in common.
Bug: webm:1796
Change-Id: I3ed70d0ba22e127720542612ea9f6665948eedfc
hubot
pushed a commit
that referenced
this pull request
Sep 2, 2025
The block is executed when `cpi->last_boost > 150`, `Adjustment` is
calculated by `(cpi->last_boost - 100) >> 5` which at a minimum is 1.
This change removes an `Adjustment < 1` check.
Fixes Coverity issue:
1568643 Logically dead code
The indicated dead code may have performed some action; that action will
never occur.
In calc_pframe_target_size: Code can never be reached because of a
logical contradiction (CWE-561)
cond_at_least: Condition cpi->last_boost > 150, taking true branch. Now
the value of cpi->last_boost is at least 151.
641 if ((cpi->last_boost > 150) && (cpi->frames_till_gf_update_due > 0) &&
642 (cpi->current_gf_interval >= (MIN_GF_INTERVAL << 1))) {
643 /* % Adjustment limited to the range 1% to 10% */
assignment: Assigning: Adjustment = cpi->last_boost - 100 >> 5.
644 Adjustment = (cpi->last_boost - 100) >> 5;
645
at_least: At condition Adjustment < 1, the value of Adjustment
must be at least 1.
dead_error_condition: The condition Adjustment < 1 cannot be
true.
646 if (Adjustment < 1) {
CID 1568643: (#1 of 1): Logically dead code (DEADCODE)
dead_error_line: Execution cannot reach this statement: Adjustment = 1;.
Change-Id: I9754c7f27678e29e4952f826380f8d4c6be805d1
hubot
pushed a commit
that referenced
this pull request
Oct 17, 2025
Running media_unittests in Chromium under UBSan gives the following
error:
[ RUN ] VpxGeneric/SoftwareVideoEncoderTest.EncodeAndDecode/vp9__vp9_profile2__PIXEL_FORMAT_I420__
../../third_party/libvpx/source/libvpx/vpx_dsp/arm/mem_neon.h:47:10: runtime error: left shift of 4294955711 by 32 places cannot be represented in type 'int64_t' (aka 'long long')
...
#0 0x000106e3298c in highbd_iadst16_neon+0x18 (/Volumes/Work/s/w/ir/out/759a-mac-ubsan-fyi-r/media_unittests:arm64+0x1025e698c)
#1 0x000106e32824 in vp9_highbd_iht16x16_256_add_neon+0x198 (/Volumes/Work/s/w/ir/out/759a-mac-ubsan-fyi-r/media_unittests:arm64+0x1025e6824)
#2 0x000108f9a550 in vp9_encode_block_intra+0xe7c (/Volumes/Work/s/w/ir/out/759a-mac-ubsan-fyi-r/media_unittests:arm64+0x10474e550)
#3 0x000108f77160 in vp9_foreach_transformed_block_in_plane+0x228 (/Volumes/Work/s/w/ir/out/759a-mac-ubsan-fyi-r/media_unittests:arm64+0x10472b160)
#4 0x000108f9b148 in vp9_encode_intra_block_plane+0x138 (/Volumes/Work/s/w/ir/out/759a-mac-ubsan-fyi-r/media_unittests:arm64+0x10474f148)
...
The bug is that left-shifting into the sign bit of an int64_t is an
overflow, and signed overflow is undefined.
Given vcreate_s16 and vcreate_s32 take uint64_t, uint64_t seems a better
type to use here anyway.
Bug: 40248746
Change-Id: I970e65a7e88dac060c2fe64eed765f8f8a31fd7f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge webm