diff options
-rw-r--r-- | README.version | 3 | ||||
-rw-r--r-- | libvpx/examples.mk | 2 | ||||
-rw-r--r-- | libvpx/md5_utils.c | 14 | ||||
-rw-r--r-- | libvpx/test/invalid_file_test.cc | 1 | ||||
-rw-r--r-- | libvpx/test/test-data.mk | 2 | ||||
-rw-r--r-- | libvpx/test/test-data.sha1 | 2 | ||||
-rw-r--r-- | libvpx/vp8/common/reconintra4x4.c | 2 | ||||
-rw-r--r-- | libvpx/vp8/decoder/detokenize.c | 6 | ||||
-rw-r--r-- | libvpx/vp8/vp8_dx_iface.c | 1 | ||||
-rw-r--r-- | libvpx/vp9/encoder/vp9_pickmode.c | 2 | ||||
-rw-r--r-- | libvpx/vpx_dsp/x86/convolve.h | 2 | ||||
-rw-r--r-- | libvpx/vpx_ports/compiler_attributes.h | 59 | ||||
-rw-r--r-- | libvpx/vpx_ports/mem.h | 30 | ||||
-rw-r--r-- | libvpx/vpx_ports/vpx_ports.mk | 1 |
14 files changed, 80 insertions, 47 deletions
diff --git a/README.version b/README.version index cc2c2a31c..d11ef9a1f 100644 --- a/README.version +++ b/README.version @@ -4,3 +4,6 @@ BugComponent: 42195 Owners: johannkoenig Local Modifications: 652beb6ac trivial: fix spelling errors + 0f3fe088f vp8_decode: add missing vpx_clear_system_state + 9cfcac1cb vp8,GetSigned: silence unsigned int overflow warning + c713f8461 move common attribute defs to compiler_attributes.h diff --git a/libvpx/examples.mk b/libvpx/examples.mk index 758ca7f88..a28e52935 100644 --- a/libvpx/examples.mk +++ b/libvpx/examples.mk @@ -65,6 +65,7 @@ endif # while EXAMPLES demonstrate specific portions of the API. UTILS-$(CONFIG_DECODERS) += vpxdec.c vpxdec.SRCS += md5_utils.c md5_utils.h +vpxdec.SRCS += vpx_ports/compiler_attributes.h vpxdec.SRCS += vpx_ports/mem_ops.h vpxdec.SRCS += vpx_ports/mem_ops_aligned.h vpxdec.SRCS += vpx_ports/msvc.h @@ -167,6 +168,7 @@ decode_to_md5.SRCS += y4minput.c y4minput.h decode_to_md5.SRCS += tools_common.h tools_common.c decode_to_md5.SRCS += video_common.h decode_to_md5.SRCS += video_reader.h video_reader.c +decode_to_md5.SRCS += vpx_ports/compiler_attributes.h decode_to_md5.SRCS += vpx_ports/mem_ops.h decode_to_md5.SRCS += vpx_ports/mem_ops_aligned.h decode_to_md5.SRCS += vpx_ports/msvc.h diff --git a/libvpx/md5_utils.c b/libvpx/md5_utils.c index 9ddb104c8..c4106525f 100644 --- a/libvpx/md5_utils.c +++ b/libvpx/md5_utils.c @@ -23,6 +23,7 @@ #include <string.h> /* for memcpy() */ #include "md5_utils.h" +#include "vpx_ports/compiler_attributes.h" static void byteSwap(UWORD32 *buf, unsigned words) { md5byte *p; @@ -145,17 +146,6 @@ void MD5Final(md5byte digest[16], struct MD5Context *ctx) { #define MD5STEP(f, w, x, y, z, in, s) \ (w += f(x, y, z) + in, w = (w << s | w >> (32 - s)) + x) -#if defined(__clang__) && defined(__has_attribute) -#if __has_attribute(no_sanitize) -#define VPX_NO_UNSIGNED_OVERFLOW_CHECK \ - __attribute__((no_sanitize("unsigned-integer-overflow"))) -#endif -#endif - -#ifndef VPX_NO_UNSIGNED_OVERFLOW_CHECK -#define VPX_NO_UNSIGNED_OVERFLOW_CHECK -#endif - /* * The core of the MD5 algorithm, this alters an existing MD5 hash to * reflect the addition of 16 longwords of new data. MD5Update blocks @@ -244,6 +234,4 @@ VPX_NO_UNSIGNED_OVERFLOW_CHECK void MD5Transform(UWORD32 buf[4], buf[3] += d; } -#undef VPX_NO_UNSIGNED_OVERFLOW_CHECK - #endif diff --git a/libvpx/test/invalid_file_test.cc b/libvpx/test/invalid_file_test.cc index 8fb9859ae..8b1bc56c9 100644 --- a/libvpx/test/invalid_file_test.cc +++ b/libvpx/test/invalid_file_test.cc @@ -124,6 +124,7 @@ TEST_P(InvalidFileTest, ReturnCode) { RunTest(); } #if CONFIG_VP8_DECODER const DecodeParam kVP8InvalidFileTests[] = { { 1, "invalid-bug-1443.ivf" }, + { 1, "invalid-bug-148271109.ivf" }, { 1, "invalid-token-partition.ivf" }, { 1, "invalid-vp80-00-comprehensive-s17661_r01-05_b6-.ivf" }, }; diff --git a/libvpx/test/test-data.mk b/libvpx/test/test-data.mk index 905f0138e..81f035d83 100644 --- a/libvpx/test/test-data.mk +++ b/libvpx/test/test-data.mk @@ -737,6 +737,8 @@ endif # CONFIG_VP9_HIGHBITDEPTH # Invalid files for testing libvpx error checking. LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-1443.ivf LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-1443.ivf.res +LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-148271109.ivf +LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-bug-148271109.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-token-partition.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP8_DECODER) += invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf diff --git a/libvpx/test/test-data.sha1 b/libvpx/test/test-data.sha1 index 8f0084c47..dcaea2866 100644 --- a/libvpx/test/test-data.sha1 +++ b/libvpx/test/test-data.sha1 @@ -866,3 +866,5 @@ c62b005a9fd32c36a1b3f67de6840330f9915e34 *invalid-crbug-1562.ivf f0cd8389948ad16085714d96567612136f6a46c5 *invalid-crbug-1562.ivf.res bac455906360b45338a16dd626ac5f19bc36a307 *desktop_office1.1280_720-020.yuv 094be4b80fa30bd227149ea16ab6476d549ea092 *slides_code_term_web_plot.1920_1080.yuv +518a0be998afece76d3df76047d51e256c591ff2 *invalid-bug-148271109.ivf +d3964f9dad9f60363c81b688324d95b4ec7c8038 *invalid-bug-148271109.ivf.res diff --git a/libvpx/vp8/common/reconintra4x4.c b/libvpx/vp8/common/reconintra4x4.c index 64d33a287..be936df5e 100644 --- a/libvpx/vp8/common/reconintra4x4.c +++ b/libvpx/vp8/common/reconintra4x4.c @@ -16,7 +16,7 @@ #include "blockd.h" #include "reconintra4x4.h" #include "vp8/common/common.h" -#include "vpx_ports/mem.h" +#include "vpx_ports/compiler_attributes.h" typedef void (*intra_pred_fn)(uint8_t *dst, ptrdiff_t stride, const uint8_t *above, const uint8_t *left); diff --git a/libvpx/vp8/decoder/detokenize.c b/libvpx/vp8/decoder/detokenize.c index b350bafbc..1c77873f0 100644 --- a/libvpx/vp8/decoder/detokenize.c +++ b/libvpx/vp8/decoder/detokenize.c @@ -11,6 +11,7 @@ #include "vp8/common/blockd.h" #include "onyxd_int.h" #include "vpx_mem/vpx_mem.h" +#include "vpx_ports/compiler_attributes.h" #include "vpx_ports/mem.h" #include "detokenize.h" @@ -52,7 +53,10 @@ static const uint8_t kZigzag[16] = { 0, 1, 4, 8, 5, 2, 3, 6, /* for const-casting */ typedef const uint8_t (*ProbaArray)[NUM_CTX][NUM_PROBAS]; -static int GetSigned(BOOL_DECODER *br, int value_to_sign) { +// With corrupt / fuzzed streams the calculation of br->value may overflow. See +// b/148271109. +static VPX_NO_UNSIGNED_OVERFLOW_CHECK int GetSigned(BOOL_DECODER *br, + int value_to_sign) { int split = (br->range + 1) >> 1; VP8_BD_VALUE bigsplit = (VP8_BD_VALUE)split << (VP8_BD_VALUE_SIZE - 8); int v; diff --git a/libvpx/vp8/vp8_dx_iface.c b/libvpx/vp8/vp8_dx_iface.c index 12e5781f5..9b3698bcd 100644 --- a/libvpx/vp8/vp8_dx_iface.c +++ b/libvpx/vp8/vp8_dx_iface.c @@ -456,6 +456,7 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx, } if (setjmp(pbi->common.error.jmp)) { + vpx_clear_system_state(); /* We do not know if the missing frame(s) was supposed to update * any of the reference buffers, but we act conservative and * mark only the last buffer as corrupted. diff --git a/libvpx/vp9/encoder/vp9_pickmode.c b/libvpx/vp9/encoder/vp9_pickmode.c index 9b2e48505..23c943c21 100644 --- a/libvpx/vp9/encoder/vp9_pickmode.c +++ b/libvpx/vp9/encoder/vp9_pickmode.c @@ -19,7 +19,7 @@ #include "vpx/vpx_codec.h" #include "vpx_dsp/vpx_dsp_common.h" #include "vpx_mem/vpx_mem.h" -#include "vpx_ports/mem.h" +#include "vpx_ports/compiler_attributes.h" #include "vp9/common/vp9_blockd.h" #include "vp9/common/vp9_common.h" diff --git a/libvpx/vpx_dsp/x86/convolve.h b/libvpx/vpx_dsp/x86/convolve.h index 6fd40fef9..c33960055 100644 --- a/libvpx/vpx_dsp/x86/convolve.h +++ b/libvpx/vpx_dsp/x86/convolve.h @@ -14,7 +14,7 @@ #include "./vpx_config.h" #include "vpx/vpx_integer.h" -#include "vpx_ports/mem.h" +#include "vpx_ports/compiler_attributes.h" // TODO(chiyotsai@google.com): Refactor the code here. Currently this is pretty // hacky and awful to read. Note that there is a filter_x[3] == 128 check in diff --git a/libvpx/vpx_ports/compiler_attributes.h b/libvpx/vpx_ports/compiler_attributes.h new file mode 100644 index 000000000..354352016 --- /dev/null +++ b/libvpx/vpx_ports/compiler_attributes.h @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2020 The WebM project authors. All Rights Reserved. + * + * Use of this source code is governed by a BSD-style license + * that can be found in the LICENSE file in the root of the source + * tree. An additional intellectual property rights grant can be found + * in the file PATENTS. All contributing project authors may + * be found in the AUTHORS file in the root of the source tree. + */ + +#ifndef VPX_VPX_PORTS_COMPILER_ATTRIBUTES_H_ +#define VPX_VPX_PORTS_COMPILER_ATTRIBUTES_H_ + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif // !defined(__has_feature) + +#if !defined(__has_attribute) +#define __has_attribute(x) 0 +#endif // !defined(__has_attribute) + +//------------------------------------------------------------------------------ +// Sanitizer attributes. + +#if __has_feature(address_sanitizer) || defined(__SANITIZE_ADDRESS__) +#define VPX_WITH_ASAN 1 +#else +#define VPX_WITH_ASAN 0 +#endif // __has_feature(address_sanitizer) || defined(__SANITIZE_ADDRESS__) + +#if defined(__clang__) && __has_attribute(no_sanitize) +#define VPX_NO_UNSIGNED_OVERFLOW_CHECK \ + __attribute__((no_sanitize("unsigned-integer-overflow"))) +#endif + +#ifndef VPX_NO_UNSIGNED_OVERFLOW_CHECK +#define VPX_NO_UNSIGNED_OVERFLOW_CHECK +#endif + +//------------------------------------------------------------------------------ +// Variable attributes. + +#if __has_attribute(uninitialized) +// Attribute "uninitialized" disables -ftrivial-auto-var-init=pattern for +// the specified variable. +// +// -ftrivial-auto-var-init is security risk mitigation feature, so attribute +// should not be used "just in case", but only to fix real performance +// bottlenecks when other approaches do not work. In general the compiler is +// quite effective at eliminating unneeded initializations introduced by the +// flag, e.g. when they are followed by actual initialization by a program. +// However if compiler optimization fails and code refactoring is hard, the +// attribute can be used as a workaround. +#define VPX_UNINITIALIZED __attribute__((uninitialized)) +#else +#define VPX_UNINITIALIZED +#endif // __has_attribute(uninitialized) + +#endif // VPX_VPX_PORTS_COMPILER_ATTRIBUTES_H_ diff --git a/libvpx/vpx_ports/mem.h b/libvpx/vpx_ports/mem.h index 4e9041304..5eccfe8f5 100644 --- a/libvpx/vpx_ports/mem.h +++ b/libvpx/vpx_ports/mem.h @@ -41,34 +41,4 @@ #define CAST_TO_BYTEPTR(x) ((uint8_t *)((uintptr_t)(x))) #endif // CONFIG_VP9_HIGHBITDEPTH -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif // !defined(__has_feature) - -#if __has_feature(address_sanitizer) || defined(__SANITIZE_ADDRESS__) -#define VPX_WITH_ASAN 1 -#else -#define VPX_WITH_ASAN 0 -#endif // __has_feature(address_sanitizer) || defined(__SANITIZE_ADDRESS__) - -#if !defined(__has_attribute) -#define __has_attribute(x) 0 -#endif // !defined(__has_attribute) - -#if __has_attribute(uninitialized) -// Attribute "uninitialized" disables -ftrivial-auto-var-init=pattern for -// the specified variable. -// -// -ftrivial-auto-var-init is security risk mitigation feature, so attribute -// should not be used "just in case", but only to fix real performance -// bottlenecks when other approaches do not work. In general the compiler is -// quite effective at eliminating unneeded initializations introduced by the -// flag, e.g. when they are followed by actual initialization by a program. -// However if compiler optimization fails and code refactoring is hard, the -// attribute can be used as a workaround. -#define VPX_UNINITIALIZED __attribute__((uninitialized)) -#else -#define VPX_UNINITIALIZED -#endif // __has_attribute(uninitialized) - #endif // VPX_VPX_PORTS_MEM_H_ diff --git a/libvpx/vpx_ports/vpx_ports.mk b/libvpx/vpx_ports/vpx_ports.mk index ef17f0ad2..5ce15002c 100644 --- a/libvpx/vpx_ports/vpx_ports.mk +++ b/libvpx/vpx_ports/vpx_ports.mk @@ -12,6 +12,7 @@ PORTS_SRCS-yes += vpx_ports.mk PORTS_SRCS-yes += bitops.h +PORTS_SRCS-yes += compiler_attributes.h PORTS_SRCS-yes += mem.h PORTS_SRCS-yes += msvc.h PORTS_SRCS-yes += system_state.h |