Claude Framer Fixes#1174
Open
kierank wants to merge 4 commits into
Open
Conversation
…d frame Avoid handling a buffered frame when next_uref is NULL, both during work and on free, preventing a NULL dereference. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Three hardenings closing the root causes behind the previous NULL next_uref guards: - Reset the start code scan context when the complete-input tail flush drains the stream. Otherwise a partial start code prefix at the end of a flushed frame is carried over and can match within the first bytes of the next uref, yielding next_frame_size < 4 and underflowed offsets. - Discard a start code that spans a flushed boundary (next_frame_size < 4) and rescan from a clean state. - Treat next_frame_offset == -1 (no picture start code, e.g. a trailing sequence or GOP header flushed at end of stream) as a non-decodable fragment instead of passing -1 to upipe_mpgvf_extract_uref_stream(), which extracted SIZE_MAX bytes, drained the stream and crashed in the following extraction. This path was reachable from both the tail flush and upipe_mpgvf_free(). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Port of the upipe_mpgv_framer hardenings to the same pattern here: - Guard the complete-input tail flush and the buffered-frame flush in upipe_h264f_free() against next_uref == NULL with au_size != 0; end_annexb dereferences next_uref->ubuf and output_annexb extracts from the stream, both crashing on an empty stream. - Guard au_size -= start_size against size_t underflow when a false start code spans a previously flushed boundary, and rescan from a clean state instead. - Reset the start code scan context when the complete-input tail flush drains the stream, so a partial start code prefix is not carried over into the next input uref. The scan context was previously never reset after allocation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Same hardenings as upipe_h264_framer, of which this framer is a close clone: guard the complete-input tail flush and the flush in upipe_h265f_free() against next_uref == NULL, guard au_size -= start_size against underflow on a false start code spanning a flushed boundary, and reset the start code scan context when the tail flush drains the stream. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is using the new Fable model. I am not able to verify these fix anything in production.