Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-02-07 10:19:54 +00:00
Code Issues Projects Releases Packages Wiki Activity
ffmpeg/libavcodec/vulkan
History
Ruikai Peng c48b8ebbbb avcodec/vulkan: fix DPX unpack offset 
The DPX Vulkan unpack shader computes a word offset as

    uint off = (line_off + pix_off >> 5);

Due to GLSL operator precedence this is evaluated as
line_off + (pix_off >> 5) rather than (line_off + pix_off) >> 5.
Since line_off is in bits while off is a 32-bit word index,
scanlines beyond y=0 use an inflated offset and the shader reads
past the end of the DPX slice buffer.

Parenthesize the expression so that the sum is shifted as intended:

    uint off = (line_off + pix_off) >> 5;

This corrects the unpacked data and removes the CRC mismatch
observed between the software and Vulkan DPX decoders for
mispacked 12-bit DPX samples. The GPU OOB read itself is only
observable indirectly via this corruption since it occurs inside
the shader.

Repro on x86_64 with Vulkan/llvmpipe (531ce713a0):

    ./configure --cc=clang --disable-optimizations --disable-stripping \
        --enable-debug=3 --disable-doc --disable-ffplay \
        --enable-vulkan --enable-libshaderc \
        --enable-hwaccel=dpx_vulkan \
        --extra-cflags='-fsanitize=address -fno-omit-frame-pointer' \
        --extra-ldflags='-fsanitize=address' && make

    VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/lvp_icd.json

PoC: packed 12-bit DPX with the packing flag cleared so the unpack
shader runs (4x64 gbrp12le), e.g. poc12_packed0.dpx.

Software decode:

    ./ffmpeg -v error -i poc12_packed0.dpx -f framecrc -
    -> 0, ..., 1536, 0x26cf81c2

Vulkan hwaccel decode:

    VK_ICD_FILENAMES=/usr/share/vulkan/icd.d/lvp_icd.json \
    ./ffmpeg -v error -init_hw_device vulkan \
        -hwaccel vulkan -hwaccel_output_format vulkan \
        -i poc12_packed0.dpx \
        -vf hwdownload,format=gbrp12le -f framecrc -
    -> 0, ..., 1536, 0x71e10a51

The only difference between the two runs is the Vulkan unpack
shader, and the stable CRC mismatch indicates that it is reading
past the intended DPX slice region.

Regression since: 531ce713a0
Found-by: Pwno
2025-12-12 20:13:16 +00:00
..
common.comp libavcodec/vulkan: remove unnessary member in GetBitContext 2025-11-30 19:21:08 +01:00
dpx_copy.comp dpxdec: add a Vulkan hwaccel 2025-11-26 15:16:43 +01:00
dpx_unpack.comp avcodec/vulkan: fix DPX unpack offset 2025-12-12 20:13:16 +00:00
ffv1_common.comp ffv1enc_vulkan: fix encoding with large contexts 2025-12-04 16:53:58 +01:00
ffv1_dec.comp vulkan_ffv1: fix swapped colors for x2bgr10 2025-11-26 15:16:40 +01:00
ffv1_dec_setup.comp vulkan/ffv1: use u32vec2 for slice offsets 2025-11-12 00:37:24 +01:00
ffv1_enc.comp vulkan/ffv1: fix sync issue in cached bitstream reader/writer 2025-05-23 05:23:44 +09:00
ffv1_enc_rct.comp vulkan: unify handling of BGR and simplify ffv1_rct 2025-03-17 08:49:15 +01:00
ffv1_enc_setup.comp ffv1enc_vulkan: implement RCT search for level >= 4 2025-05-20 19:53:01 +09:00
ffv1_rct.comp ffv1: add a Vulkan-based decoder 2025-03-17 08:51:23 +01:00
ffv1_rct_search.comp ffv1enc_vulkan: implement RCT search for level >= 4 2025-05-20 19:53:01 +09:00
ffv1_reset.comp ffv1/vulkan: redo context count tracking and quant_table_idx management 2025-04-14 06:10:42 +02:00
ffv1_vlc.comp lavc/vulkan/common: sign-ify lengths 2025-08-05 23:51:21 +09:00
Makefile vulkan/prores: use vkCmdClearColorImage 2025-12-07 18:17:36 +00:00
prores_idct.comp vulkan/prores: normalize coefficients during IDCT 2025-11-29 17:56:28 +01:00
prores_raw_decode.comp vulkan_prores_raw: use the native image representation 2025-11-26 15:16:42 +01:00
prores_raw_idct.comp vulkan_prores_raw: use the native image representation 2025-11-26 15:16:42 +01:00
prores_vld.comp vulkan/prores: forward quantization parameter to the IDCT shader 2025-11-08 22:31:21 +00:00
rangecoder.comp vulkan/rangecoder: ifdef out encode and decode chunks 2025-10-28 07:11:26 +01:00