CopySubpix reads past the end of input buffer

CopySubpix reads past the end of input buffer

vector<uint8_t> input{ 10, 20, 100, 200, 10, 20, 100, 200, };
vector<uint8_t> output(2 * 4);
ippiCopySubpix_8u_C1R(input.data(), 2, output.data(), 2, { 2, 4 }, 0.5, 0);

fails with an exception when running under App Verifier with Heap checking and Protect checking. With these options app verifier inserts a page without read permission after input[8]. I bet valgrind also catches this. You can also tell that ipp is reading after the end of each line because the last pixel of each output line is the average of the last pixel of the input line and the first pixel of the next input line.

 

7 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Hi Bruno,

I'll investigate this and get back to you soon.

Thanks,

Alice

It still crashes in ipp 2018. I've made a simple repro that doesn't need app verifier:

#define _IPP_SEQUENTIAL_STATIC
#include <ippcore.h>
#include <ippvm.h>
#include <ipps.h>
#include <ippi.h>
#include <ippcv.h>
#include <cstdint>
#include <Windows.h>
using namespace std;

int main()
{
    static uint8_t const input[4][2] = {
        { 10, 20, },
        { 100, 200, },
        { 10, 20, },
        { 100, 200, },
    };
    uint8_t output[4][2]{};
    ippiCopySubpix_8u_C1R(input[0], 2, output[0], 2, { 2, 4 }, 0.5, 0);

    int const pagesize = 4 * 1024;
    void* mem = VirtualAlloc(nullptr, 2 * pagesize, MEM_RESERVE, PAGE_READWRITE); // reserve 2 pages
    VirtualAlloc(mem, pagesize, MEM_COMMIT, PAGE_READWRITE); // only commit the first, so reading from the second crashes
    uint8_t* guarded_input = (uint8_t*)mem + pagesize - sizeof input;
    memcpy(guarded_input, input, sizeof input); // copy input to end of first page
    ippiCopySubpix_8u_C1R(guarded_input, 2, output[0], 2, { 2, 4 }, 0.5, 0);
}

 

Maybe this is the correct behavior and borders need to be considered by hand?

Bruno,  
Thanks for the code.  could you submit a support ticket for IPP product at our support portal: https://www.intel.com/supporttickets ?
so our support engineer can reproduce your test code there, to root the problem. 
One document is attached if you want to learn some steps on submitting a ticket. 

regards,
Chao

Attachments: 

AttachmentSize
Downloadapplication/pdf SubmittingSupportIssue.pdf465.22 KB

Just did.

Hi Bruno,

you are right - it is IPP ROI concept that is described in the manual - as this function doesn't support border parameter - by default its behavior is as for border "inmem" case: 

for subpixel copying IPP uses linear interpolation, therefore it's customer's responsibility to provide all required pixels beyond provided ROI - in the attached example it means + 1 column to the right and +1 row at the bottom. See used formula below: 

dst[j] = (TYPE)ROUND(a00*src[j] +a10*src[j+1]+ a01*src[j+srcStep]+a11*src[j+srcStep+1]);

regards, Igor.

Leave a Comment

Please sign in to add a comment. Not a member? Join today