From 3cbf09d0c967062e875511e4a253e542ecf5e780 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Sat, 9 Dec 2023 16:26:22 +0100 Subject: [PATCH] mpeg2decoder: Fix multiplication wraparound The GstMpeg2Picture system_frame_number is guint32, constant 1000 is guint32, GstV4l2CodecMpeg2Dec *_ref_ts multiplication result is u64 . ``` u64 result = (u32)((u32)system_frame_number * (u32)1000); ``` behaves the same as ``` u64 result = (u32)(((u32)system_frame_number * (u32)1000) & 0xffffffff); ``` so in case `system_frame_number > 4294967295 / 1000`, the `result` will wrap around. Since the `result` is really used as a cookie used to look up V4L2 buffers related to the currently decoded frame, this wraparound leads to visible corruption during MPEG2 decoding. At 30 FPS this occurs after cca. 40 hours of playback . Fix this by changing the 1000 from u32 to u64, i.e.: ``` u64 result = (u64)((u32)system_frame_number * (u64)1000ULL); ``` this way, the wraparound is prevented and the correct cookie is used. Part-of: --- .../gst-plugins-bad/sys/v4l2codecs/gstv4l2codecmpeg2dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/subprojects/gst-plugins-bad/sys/v4l2codecs/gstv4l2codecmpeg2dec.c b/subprojects/gst-plugins-bad/sys/v4l2codecs/gstv4l2codecmpeg2dec.c index 93eb0ccac4..399f1b5bbf 100644 --- a/subprojects/gst-plugins-bad/sys/v4l2codecs/gstv4l2codecmpeg2dec.c +++ b/subprojects/gst-plugins-bad/sys/v4l2codecs/gstv4l2codecmpeg2dec.c @@ -578,9 +578,9 @@ gst_v4l2_codec_mpeg2_dec_start_picture (GstMpeg2Decoder * decoder, /* *INDENT-OFF* */ self->v4l2_picture = (struct v4l2_ctrl_mpeg2_picture) { .backward_ref_ts = next_picture ? - GST_CODEC_PICTURE_FRAME_NUMBER (next_picture) * 1000 : GST_CLOCK_TIME_NONE, + GST_CODEC_PICTURE_FRAME_NUMBER (next_picture) * G_GUINT64_CONSTANT (1000) : GST_CLOCK_TIME_NONE, .forward_ref_ts = prev_picture ? - GST_CODEC_PICTURE_FRAME_NUMBER (prev_picture) * 1000 : GST_CLOCK_TIME_NONE, + GST_CODEC_PICTURE_FRAME_NUMBER (prev_picture) * G_GUINT64_CONSTANT (1000) : GST_CLOCK_TIME_NONE, .intra_dc_precision = slice->pic_ext ? slice->pic_ext->intra_dc_precision : 0, .flags = (slice->pic_ext && slice->pic_ext->top_field_first ? V4L2_MPEG2_PIC_FLAG_TOP_FIELD_FIRST : 0) | (slice->pic_ext && slice->pic_ext->frame_pred_frame_dct ? V4L2_MPEG2_PIC_FLAG_FRAME_PRED_DCT : 0 ) |