virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

avcodec/hevcdec: check ff_init_cabac_decoder() for failure

Browse Source 
Fixes: runtime error: left shift of 1965559808 by 4 places cannot be represented in type 'int'
Fixes: 2333/clusterfuzz-testcase-minimized-5223935677300736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-06-24 14:46:17 +02:00
parent c1b43e8452
commit 933aa91e31
3 changed files with 37 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
libavcodec/hevc_cabac.c
View File

@ -467,12 +467,12 @@ static void cabac_reinit(HEVCLocalContext *lc)
skip_bytes(&lc->cc, 0); skip_bytes(&lc->cc, 0);
} }
static void cabac_init_decoder(HEVCContext *s) static int cabac_init_decoder(HEVCContext *s)
{ {
GetBitContext *gb = &s->HEVClc->gb; GetBitContext *gb = &s->HEVClc->gb;
skip_bits(gb, 1); skip_bits(gb, 1);
align_get_bits(gb); align_get_bits(gb);
ff_init_cabac_decoder(&s->HEVClc->cc, return ff_init_cabac_decoder(&s->HEVClc->cc,
gb->buffer + get_bits_count(gb) / 8, gb->buffer + get_bits_count(gb) / 8,
(get_bits_left(gb) + 7) / 8); (get_bits_left(gb) + 7) / 8);
} }
@ -501,10 +501,12 @@ static void cabac_init_state(HEVCContext *s)
s->HEVClc->stat_coeff[i] = 0; s->HEVClc->stat_coeff[i] = 0;
} }
void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts) int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
{ {
if (ctb_addr_ts == s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs]) { if (ctb_addr_ts == s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs]) {
cabac_init_decoder(s); int ret = cabac_init_decoder(s);
if (ret < 0)
return ret;
if (s->sh.dependent_slice_segment_flag == 0 || if (s->sh.dependent_slice_segment_flag == 0 ||
(s->ps.pps->tiles_enabled_flag && (s->ps.pps->tiles_enabled_flag &&
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1])) s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]))
@ -524,8 +526,11 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]) { s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]) {
if (s->threads_number == 1) if (s->threads_number == 1)
cabac_reinit(s->HEVClc); cabac_reinit(s->HEVClc);
else else {
cabac_init_decoder(s); int ret = cabac_init_decoder(s);
if (ret < 0)
return ret;
}
cabac_init_state(s); cabac_init_state(s);
} }
if (s->ps.pps->entropy_coding_sync_enabled_flag) { if (s->ps.pps->entropy_coding_sync_enabled_flag) {
@ -533,8 +538,11 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
get_cabac_terminate(&s->HEVClc->cc); get_cabac_terminate(&s->HEVClc->cc);
if (s->threads_number == 1) if (s->threads_number == 1)
cabac_reinit(s->HEVClc); cabac_reinit(s->HEVClc);
else else {
cabac_init_decoder(s); int ret = cabac_init_decoder(s);
if (ret < 0)
return ret;
}
if (s->ps.sps->ctb_width == 1) if (s->ps.sps->ctb_width == 1)
cabac_init_state(s); cabac_init_state(s);
@ -543,6 +551,7 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
} }
} }
} }
return 0;
} }
#define GET_CABAC(ctx) get_cabac(&s->HEVClc->cc, &s->HEVClc->cabac_state[ctx]) #define GET_CABAC(ctx) get_cabac(&s->HEVClc->cc, &s->HEVClc->cabac_state[ctx])

26
libavcodec/hevcdec.c
View File

@ -2337,6 +2337,7 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
int x_ctb = 0; int x_ctb = 0;
int y_ctb = 0; int y_ctb = 0;
int ctb_addr_ts = s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs]; int ctb_addr_ts = s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs];
int ret;
if (!ctb_addr_ts && s->sh.dependent_slice_segment_flag) { if (!ctb_addr_ts && s->sh.dependent_slice_segment_flag) {
av_log(s->avctx, AV_LOG_ERROR, "Impossible initial tile.\n"); av_log(s->avctx, AV_LOG_ERROR, "Impossible initial tile.\n");
@ -2358,7 +2359,11 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
y_ctb = (ctb_addr_rs / ((s->ps.sps->width + ctb_size - 1) >> s->ps.sps->log2_ctb_size)) << s->ps.sps->log2_ctb_size; y_ctb = (ctb_addr_rs / ((s->ps.sps->width + ctb_size - 1) >> s->ps.sps->log2_ctb_size)) << s->ps.sps->log2_ctb_size;
hls_decode_neighbour(s, x_ctb, y_ctb, ctb_addr_ts); hls_decode_neighbour(s, x_ctb, y_ctb, ctb_addr_ts);
ff_hevc_cabac_init(s, ctb_addr_ts); ret = ff_hevc_cabac_init(s, ctb_addr_ts);
if (ret < 0) {
s->tab_slice_address[ctb_addr_rs] = -1;
return ret;
}
hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size); hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
@ -2417,7 +2422,9 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
if (ret < 0) if (ret < 0)
return ret; return ret;
ff_init_cabac_decoder(&lc->cc, s->data + s->sh.offset[(ctb_row)-1], s->sh.size[ctb_row - 1]); ret = ff_init_cabac_decoder(&lc->cc, s->data + s->sh.offset[(ctb_row)-1], s->sh.size[ctb_row - 1]);
if (ret < 0)
goto error;
} }
while(more_data && ctb_addr_ts < s->ps.sps->ctb_size) { while(more_data && ctb_addr_ts < s->ps.sps->ctb_size) {
@ -2433,15 +2440,15 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
return 0; return 0;
} }
ff_hevc_cabac_init(s, ctb_addr_ts); ret = ff_hevc_cabac_init(s, ctb_addr_ts);
if (ret < 0)
goto error;
hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size); hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0); more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0);
if (more_data < 0) { if (more_data < 0) {
s->tab_slice_address[ctb_addr_rs] = -1; ret = more_data;
atomic_store(&s1->wpp_err, 1); goto error;
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
return more_data;
} }
ctb_addr_ts++; ctb_addr_ts++;
@ -2471,6 +2478,11 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP); ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
return 0; return 0;
error:
s->tab_slice_address[ctb_addr_rs] = -1;
atomic_store(&s1->wpp_err, 1);
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
return ret;
} }
static int hls_slice_data_wpp(HEVCContext *s, const H2645NAL *nal) static int hls_slice_data_wpp(HEVCContext *s, const H2645NAL *nal)

2
libavcodec/hevcdec.h
View File

@ -508,7 +508,7 @@ int ff_hevc_frame_rps(HEVCContext *s);
int ff_hevc_slice_rpl(HEVCContext *s); int ff_hevc_slice_rpl(HEVCContext *s);
void ff_hevc_save_states(HEVCContext *s, int ctb_addr_ts); void ff_hevc_save_states(HEVCContext *s, int ctb_addr_ts);
void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts); int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts);
int ff_hevc_sao_merge_flag_decode(HEVCContext *s); int ff_hevc_sao_merge_flag_decode(HEVCContext *s);
int ff_hevc_sao_type_idx_decode(HEVCContext *s); int ff_hevc_sao_type_idx_decode(HEVCContext *s);
int ff_hevc_sao_band_position_decode(HEVCContext *s); int ff_hevc_sao_band_position_decode(HEVCContext *s);