From: Paul Kocialkowski <paulk@sys-base.io>
To: Pengpeng Hou <pengpeng@iscas.ac.cn>
Cc: mripard@kernel.org, mchehab@kernel.org,
gregkh@linuxfoundation.org, wens@kernel.org,
jernej.skrabec@gmail.com, samuel@sholland.org,
nicolas.dufresne@collabora.com, linux-media@vger.kernel.org,
linux-staging@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-sunxi@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] media: cedrus: skip invalid H.264 reference list entries
Date: Thu, 9 Apr 2026 15:33:06 +0200 [thread overview]
Message-ID: <adeqkmA9VhaPkSAk@shepard> (raw)
In-Reply-To: <20260324080856.56787-1-pengpeng@iscas.ac.cn>
[-- Attachment #1: Type: text/plain, Size: 2495 bytes --]
Hi,
On Tue 24 Mar 26, 16:08, Pengpeng Hou wrote:
> Cedrus consumes H.264 ref_pic_list0/ref_pic_list1 entries from the
> stateless slice control and later uses their indices to look up
> decode->dpb[] in _cedrus_write_ref_list().
>
> Rejecting such controls in cedrus_try_ctrl() would break existing
> userspace, since stateless H.264 reference lists may legitimately carry
> out-of-range indices for missing references. Instead, guard the actual
> DPB lookup in Cedrus and skip entries whose indices do not fit the fixed
> V4L2_H264_NUM_DPB_ENTRIES array.
Could you explain why it is legitimate that userspace would pass indices that
are not in the dpb list? As far as I remember from the H.264 spec, the L0/L1
lists are constructed from active references only and the number of items there
should be given by num_ref_idx_l0_active_minus1/num_ref_idx_l1_active_minus1.
We can tolerate invalid data beyond these indices, but certainly not as part
of the indices that should be valid.
However I agree that cedrus_try_ctrl is maybe not the right place to check it
since I'm not sure we are guaranteed that the slice params control will be
checked before the new DPB (from the same request) is applied, so we might end
up checking against the dpb from the previous decode request.
But I think we should error out and not just skip the invalid reference.
All the best,
Paul
>
> This keeps the fix local to the driver use site and avoids out-of-bounds
> reads from malformed or unsupported reference list entries.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> drivers/staging/media/sunxi/cedrus/cedrus_h264.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
> --- a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
> +++ b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
> @@ -210,6 +210,9 @@ static void _cedrus_write_ref_list(struct cedrus_ctx *ctx,
> u8 dpb_idx;
>
> dpb_idx = ref_list[i].index;
> + if (dpb_idx >= V4L2_H264_NUM_DPB_ENTRIES)
> + continue;
> +
> dpb = &decode->dpb[dpb_idx];
>
> if (!(dpb->flags & V4L2_H264_DPB_ENTRY_FLAG_ACTIVE))
> --
> 2.50.1
>
--
Paul Kocialkowski,
Independent contractor - sys-base - https://www.sys-base.io/
Free software developer - https://www.paulk.fr/
Expert in multimedia, graphics and embedded hardware support with Linux.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-04-09 13:33 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 8:08 [PATCH] media: cedrus: skip invalid H.264 reference list entries Pengpeng Hou
2026-03-29 9:21 ` Jernej Škrabec
2026-03-29 12:44 ` Chen-Yu Tsai
2026-03-30 15:55 ` Nicolas Dufresne
2026-03-30 16:45 ` Chen-Yu Tsai
2026-03-30 17:25 ` Nicolas Dufresne
2026-03-30 15:54 ` Nicolas Dufresne
2026-04-09 13:30 ` [PATCH v2] media: cedrus: reject invalid active H.264 ref indices Pengpeng Hou
2026-04-09 13:33 ` Paul Kocialkowski [this message]
2026-04-09 14:00 ` [PATCH] media: cedrus: skip invalid H.264 reference list entries Nicolas Dufresne
2026-04-09 14:31 ` Paul Kocialkowski
2026-04-09 14:39 ` Nicolas Dufresne
2026-04-09 15:31 ` Paul Kocialkowski
2026-04-09 17:48 ` Nicolas Dufresne
2026-04-09 14:30 ` Pengpeng Hou
2026-04-09 14:00 ` Nicolas Dufresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adeqkmA9VhaPkSAk@shepard \
--to=paulk@sys-base.io \
--cc=gregkh@linuxfoundation.org \
--cc=jernej.skrabec@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=linux-sunxi@lists.linux.dev \
--cc=mchehab@kernel.org \
--cc=mripard@kernel.org \
--cc=nicolas.dufresne@collabora.com \
--cc=pengpeng@iscas.ac.cn \
--cc=samuel@sholland.org \
--cc=wens@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox