[vlc-devel] MPEG Video Codec Motion Block & IDCT Crashes [1/1]

Tue Apr 1 12:31:42 CEST 2003

I am using VLC to handle DVB-T streams in an area of poor reception. 
This leads to VLC receiving corrupted TS packets which become a 
corrupted video stream.  From this I have identified some errors in the 
MPEG video codec that cause crashes.  I have described two in another 
message. This message deals with exceptions in motion block and IDCT 
handling.  I have seen other messages here and in bugzilla that appear 
to report similar faults.

1.  Invalid data can cause the IDCT block handling to try to access 
beyond the end of a picture plane.

2.  Similarly, with motion block processing, invalid data can cause 
accesses beyond the end of a picture plane.  However, in this case 
invalid data could alternatively cause accesses before the beginning of 
a picture plane.  Also in this case the error can be with either the 
source or the destination picture or both.

If these accesses only access another plane of the same picture or the 
data associated with another picture then they are harmless.  However, 
if the accesses address some other data it may get overwritten and if 
they go outside of allocated memory they cause exceptions.

I have made some changes to detect this:

1.  In ParseSlice, i_vert_code is checked to see if it is valid for the 
size of picture.

2.  For IDCT, before the DECODE_INTRA_BLOCK or DECODE_NON_INTRA_BLOCK 
macros are called, a new macro is used to check that the addresses being 
processed won't go past the end of the plane being processed.

3.  For Motion Blocks, function MotionBlock() is extended to check the 
source and destination addresses will not go outside of their respective 
picture planes.

4.  In order to do this, as the macro blocks are set up in ParseSlice(), 
pointers to the source & destination pictures have to be included which 
the checks can then use.  This also requires changes to the calls to 
MOTION_BLOCK in the Motion...() functions.

5.  In general, when these errors are found, an error count is 
incremented and an error flag is set.

6.  In synchro.c, at the same time as the message indicating that 100 or 
more pictures have been produced the error flag is checked and if it is 
set, a message reporting all the error counts is produced.

Attached is a patch that implements all this.

I don't have the ability to check how much extra processing these checks 
add - I don't think it is significant, but if it is I could provide an 
alternative change that puts these changes under an ifdef so that they 
can be turned on & off at compile time.

Note that I use VLC on WinXP from the command line (without a GUI) but I 
think that these errors could be seen on any system.
-- 
Andy Lindsay

-------------- next part --------------
A non-text attachment was scrubbed...
Name: mpeg_video.patch
Type: application/octet-stream
Size: 37768 bytes
Desc: mpeg_video.patch
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20030401/ef15423b/attachment.obj>