Skip to content

Commit

Permalink
disable vpx_highbd_*_sub_pixel_avg_variance4x{4,8}_neon
Browse files Browse the repository at this point in the history
vpx_highbd_8_sub_pixel_avg_variance4x4_neon
vpx_highbd_8_sub_pixel_avg_variance4x8_neon
vpx_highbd_10_sub_pixel_avg_variance4x4_neon
vpx_highbd_10_sub_pixel_avg_variance4x8_neon
vpx_highbd_12_sub_pixel_avg_variance4x4_neon
vpx_highbd_12_sub_pixel_avg_variance4x8_neon

all cause heap overflows of the form:

i[ RUN      ] NEON/VpxHBDSubpelAvgVarianceTest.Ref/33
=================================================================
==535205==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xffff95bb0b89 at pc 0x00000116dabc bp 0xffffd09f6430 sp 0xffffd09f6428
READ of size 8 at 0xffff95bb0b89 thread T0
    #0 0x116dab8 in load_unaligned_u16q vpx_dsp/arm/mem_neon.h:176:3
    #1 0x116dab8 in highbd_var_filter_block2d_bil_w4
       vpx_dsp/arm/highbd_subpel_variance_neon.c:49:21
    #2 0x116dab8 in vpx_highbd_8_sub_pixel_avg_variance4x4_neon
       vpx_dsp/arm/highbd_subpel_variance_neon.c:543:1
    ...

0xffff95bb0b89 is located 0 bytes to the right of 73-byte region
[0xffff95bb0b40,0xffff95bb0b89)
allocated by thread T0 here:
    #0 0x5f18b0 in malloc (test_libvpx+0x5f18b0)
    #1 0xce4a40 in vpx_memalign vpx_mem/vpx_mem.c:62:10
    #2 0xce4a40 in vpx_malloc vpx_mem/vpx_mem.c:70:40
    #3 0xa52238 in (anonymous namespace)::SubpelVarianceTest<unsigned
       int (*)(unsigned char const*, int, int, int, unsigned char
               const*, int, unsigned int*, unsigned char
               const*)>::SetUp()
       test/variance_test.cc:586:14
    ...

This is the same issue as:
  e33d4c2 disable vpx_highbd_*_sub_pixel_variance4x{4,8}_neon
They have highbd_var_filter_block2d_bil_w4 in common.

Bug: webm:1796
Change-Id: I3ed70d0ba22e127720542612ea9f6665948eedfc
  • Loading branch information
jzern committed Mar 8, 2023
1 parent e33d4c2 commit a479677
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 16 deletions.
14 changes: 10 additions & 4 deletions test/variance_test.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1687,12 +1687,14 @@ INSTANTIATE_TEST_SUITE_P(
SubpelAvgVarianceParams(3, 2,
&vpx_highbd_12_sub_pixel_avg_variance8x4_neon,
12),
/*TODO(https://crbug.com/webm/1796): enable after heap overflow is
fixed.
SubpelAvgVarianceParams(2, 3,
&vpx_highbd_12_sub_pixel_avg_variance4x8_neon,
12),
SubpelAvgVarianceParams(2, 2,
&vpx_highbd_12_sub_pixel_avg_variance4x4_neon,
12),
12),*/
SubpelAvgVarianceParams(6, 6,
&vpx_highbd_10_sub_pixel_avg_variance64x64_neon,
10),
Expand Down Expand Up @@ -1726,12 +1728,14 @@ INSTANTIATE_TEST_SUITE_P(
SubpelAvgVarianceParams(3, 2,
&vpx_highbd_10_sub_pixel_avg_variance8x4_neon,
10),
/*TODO(https://crbug.com/webm/1796): enable after heap overflow is
fixed.
SubpelAvgVarianceParams(2, 3,
&vpx_highbd_10_sub_pixel_avg_variance4x8_neon,
10),
SubpelAvgVarianceParams(2, 2,
&vpx_highbd_10_sub_pixel_avg_variance4x4_neon,
10),
10),*/
SubpelAvgVarianceParams(6, 6,
&vpx_highbd_8_sub_pixel_avg_variance64x64_neon,
8),
Expand Down Expand Up @@ -1764,13 +1768,15 @@ INSTANTIATE_TEST_SUITE_P(
8),
SubpelAvgVarianceParams(3, 2,
&vpx_highbd_8_sub_pixel_avg_variance8x4_neon,
8),
8)
/*TODO(https://crbug.com/webm/1796): enable after heap overflow is
fixed.
SubpelAvgVarianceParams(2, 3,
&vpx_highbd_8_sub_pixel_avg_variance4x8_neon,
8),
SubpelAvgVarianceParams(2, 2,
&vpx_highbd_8_sub_pixel_avg_variance4x4_neon,
8)));
8)*/));

#endif // CONFIG_VP9_HIGHBITDEPTH
#endif // HAVE_NEON
Expand Down
21 changes: 15 additions & 6 deletions vpx_dsp/arm/highbd_subpel_variance_neon.c
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@
// 15-bit.)

// Process a block exactly 4 wide and a multiple of 2 high.
// TODO(https://crbug.com/webm/1796): enable after heap overflow is fixed.
#if 0
static void highbd_var_filter_block2d_bil_w4(const uint16_t *src_ptr,
uint16_t *dst_ptr, int src_stride,
int pixel_step, int dst_height,
Expand All @@ -60,6 +62,7 @@ static void highbd_var_filter_block2d_bil_w4(const uint16_t *src_ptr,
i -= 2;
} while (i != 0);
}
#endif // 0

// Process a block which is a multiple of 8 and any height.
static void highbd_var_filter_block2d_bil_large(const uint16_t *src_ptr,
Expand Down Expand Up @@ -295,6 +298,8 @@ HBD_SPECIALIZED_SUBPEL_VARIANCE_WXH_NEON(12, 64, 64, 1)

// Combine bilinear filter with vpx_highbd_comp_avg_pred for blocks having
// width 4.
// TODO(https://crbug.com/webm/1796): enable after heap overflow is fixed.
#if 0
static void highbd_avg_pred_var_filter_block2d_bil_w4(
const uint16_t *src_ptr, uint16_t *dst_ptr, int src_stride, int pixel_step,
int dst_height, int filter_offset, const uint16_t *second_pred) {
Expand All @@ -319,6 +324,7 @@ static void highbd_avg_pred_var_filter_block2d_bil_w4(
i -= 2;
} while (i != 0);
}
#endif // 0

// Combine bilinear filter with vpx_highbd_comp_avg_pred for large blocks.
static void highbd_avg_pred_var_filter_block2d_bil_large(
Expand Down Expand Up @@ -540,8 +546,9 @@ static void highbd_avg_pred(const uint16_t *src_ptr, uint16_t *dst_ptr,
// padding.

// 8-bit
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 4, 4, 2)
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 4, 8, 2)
// TODO(https://crbug.com/webm/1796): enable after heap overflow is fixed.
// HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 4, 4, 2)
// HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 4, 8, 2)

HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 8, 4, 1)
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 8, 8, 1)
Expand All @@ -559,8 +566,9 @@ HBD_SPECIALIZED_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 64, 32, 1)
HBD_SPECIALIZED_SUBPEL_AVG_VARIANCE_WXH_NEON(8, 64, 64, 1)

// 10-bit
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 4, 4, 2)
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 4, 8, 2)
// TODO(https://crbug.com/webm/1796): enable after heap overflow is fixed.
// HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 4, 4, 2)
// HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 4, 8, 2)

HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 8, 4, 1)
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 8, 8, 1)
Expand All @@ -578,8 +586,9 @@ HBD_SPECIALIZED_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 64, 32, 1)
HBD_SPECIALIZED_SUBPEL_AVG_VARIANCE_WXH_NEON(10, 64, 64, 1)

// 12-bit
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(12, 4, 4, 2)
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(12, 4, 8, 2)
// TODO(https://crbug.com/webm/1796): enable after heap overflow is fixed.
// HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(12, 4, 4, 2)
// HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(12, 4, 8, 2)

HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(12, 8, 4, 1)
HBD_SUBPEL_AVG_VARIANCE_WXH_NEON(12, 8, 8, 1)
Expand Down
24 changes: 18 additions & 6 deletions vpx_dsp/vpx_dsp_rtcd_defs.pl
Original file line number Diff line number Diff line change
Expand Up @@ -1569,9 +1569,13 @@ ()
specialize qw/vpx_highbd_12_sub_pixel_avg_variance8x4 sse2 neon/;

add_proto qw/uint32_t vpx_highbd_12_sub_pixel_avg_variance4x8/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_12_sub_pixel_avg_variance4x8 neon/;
# TODO(https://crbug.com/webm/1796): enable neon after heap overflow is
# fixed.
# specialize qw/vpx_highbd_12_sub_pixel_avg_variance4x8 neon/;
add_proto qw/uint32_t vpx_highbd_12_sub_pixel_avg_variance4x4/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_12_sub_pixel_avg_variance4x4 neon/;
# TODO(https://crbug.com/webm/1796): enable neon after heap overflow is
# fixed.
# specialize qw/vpx_highbd_12_sub_pixel_avg_variance4x4 neon/;

add_proto qw/uint32_t vpx_highbd_10_sub_pixel_avg_variance64x64/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_10_sub_pixel_avg_variance64x64 sse2 neon/;
Expand Down Expand Up @@ -1607,9 +1611,13 @@ ()
specialize qw/vpx_highbd_10_sub_pixel_avg_variance8x4 sse2 neon/;

add_proto qw/uint32_t vpx_highbd_10_sub_pixel_avg_variance4x8/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_10_sub_pixel_avg_variance4x8 neon/;
# TODO(https://crbug.com/webm/1796): enable neon after heap overflow is
# fixed.
# specialize qw/vpx_highbd_10_sub_pixel_avg_variance4x8 neon/;
add_proto qw/uint32_t vpx_highbd_10_sub_pixel_avg_variance4x4/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_10_sub_pixel_avg_variance4x4 neon/;
# TODO(https://crbug.com/webm/1796): enable neon after heap overflow is
# fixed.
# specialize qw/vpx_highbd_10_sub_pixel_avg_variance4x4 neon/;

add_proto qw/uint32_t vpx_highbd_8_sub_pixel_avg_variance64x64/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_8_sub_pixel_avg_variance64x64 sse2 neon/;
Expand Down Expand Up @@ -1645,9 +1653,13 @@ ()
specialize qw/vpx_highbd_8_sub_pixel_avg_variance8x4 sse2 neon/;

add_proto qw/uint32_t vpx_highbd_8_sub_pixel_avg_variance4x8/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_8_sub_pixel_avg_variance4x8 neon/;
# TODO(https://crbug.com/webm/1796): enable neon after heap overflow is
# fixed.
# specialize qw/vpx_highbd_8_sub_pixel_avg_variance4x8 neon/;
add_proto qw/uint32_t vpx_highbd_8_sub_pixel_avg_variance4x4/, "const uint8_t *src_ptr, int src_stride, int x_offset, int y_offset, const uint8_t *ref_ptr, int ref_stride, uint32_t *sse, const uint8_t *second_pred";
specialize qw/vpx_highbd_8_sub_pixel_avg_variance4x4 neon/;
# TODO(https://crbug.com/webm/1796): enable neon after heap overflow is
# fixed.
# specialize qw/vpx_highbd_8_sub_pixel_avg_variance4x4 neon/;

} # CONFIG_VP9_HIGHBITDEPTH

Expand Down

0 comments on commit a479677

Please sign in to comment.