mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
avcodec/hevcdec: check ff_init_cabac_decoder() for failure
Fixes: runtime error: left shift of 1965559808 by 4 places cannot be represented in type 'int' Fixes: 2333/clusterfuzz-testcase-minimized-5223935677300736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
c1b43e8452
commit
933aa91e31
@ -467,12 +467,12 @@ static void cabac_reinit(HEVCLocalContext *lc)
|
||||
skip_bytes(&lc->cc, 0);
|
||||
}
|
||||
|
||||
static void cabac_init_decoder(HEVCContext *s)
|
||||
static int cabac_init_decoder(HEVCContext *s)
|
||||
{
|
||||
GetBitContext *gb = &s->HEVClc->gb;
|
||||
skip_bits(gb, 1);
|
||||
align_get_bits(gb);
|
||||
ff_init_cabac_decoder(&s->HEVClc->cc,
|
||||
return ff_init_cabac_decoder(&s->HEVClc->cc,
|
||||
gb->buffer + get_bits_count(gb) / 8,
|
||||
(get_bits_left(gb) + 7) / 8);
|
||||
}
|
||||
@ -501,10 +501,12 @@ static void cabac_init_state(HEVCContext *s)
|
||||
s->HEVClc->stat_coeff[i] = 0;
|
||||
}
|
||||
|
||||
void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
|
||||
int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
|
||||
{
|
||||
if (ctb_addr_ts == s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs]) {
|
||||
cabac_init_decoder(s);
|
||||
int ret = cabac_init_decoder(s);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
if (s->sh.dependent_slice_segment_flag == 0 ||
|
||||
(s->ps.pps->tiles_enabled_flag &&
|
||||
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]))
|
||||
@ -524,8 +526,11 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
|
||||
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]) {
|
||||
if (s->threads_number == 1)
|
||||
cabac_reinit(s->HEVClc);
|
||||
else
|
||||
cabac_init_decoder(s);
|
||||
else {
|
||||
int ret = cabac_init_decoder(s);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
}
|
||||
cabac_init_state(s);
|
||||
}
|
||||
if (s->ps.pps->entropy_coding_sync_enabled_flag) {
|
||||
@ -533,8 +538,11 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
|
||||
get_cabac_terminate(&s->HEVClc->cc);
|
||||
if (s->threads_number == 1)
|
||||
cabac_reinit(s->HEVClc);
|
||||
else
|
||||
cabac_init_decoder(s);
|
||||
else {
|
||||
int ret = cabac_init_decoder(s);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (s->ps.sps->ctb_width == 1)
|
||||
cabac_init_state(s);
|
||||
@ -543,6 +551,7 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define GET_CABAC(ctx) get_cabac(&s->HEVClc->cc, &s->HEVClc->cabac_state[ctx])
|
||||
|
@ -2337,6 +2337,7 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
|
||||
int x_ctb = 0;
|
||||
int y_ctb = 0;
|
||||
int ctb_addr_ts = s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs];
|
||||
int ret;
|
||||
|
||||
if (!ctb_addr_ts && s->sh.dependent_slice_segment_flag) {
|
||||
av_log(s->avctx, AV_LOG_ERROR, "Impossible initial tile.\n");
|
||||
@ -2358,7 +2359,11 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
|
||||
y_ctb = (ctb_addr_rs / ((s->ps.sps->width + ctb_size - 1) >> s->ps.sps->log2_ctb_size)) << s->ps.sps->log2_ctb_size;
|
||||
hls_decode_neighbour(s, x_ctb, y_ctb, ctb_addr_ts);
|
||||
|
||||
ff_hevc_cabac_init(s, ctb_addr_ts);
|
||||
ret = ff_hevc_cabac_init(s, ctb_addr_ts);
|
||||
if (ret < 0) {
|
||||
s->tab_slice_address[ctb_addr_rs] = -1;
|
||||
return ret;
|
||||
}
|
||||
|
||||
hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
|
||||
|
||||
@ -2417,7 +2422,9 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
|
||||
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
ff_init_cabac_decoder(&lc->cc, s->data + s->sh.offset[(ctb_row)-1], s->sh.size[ctb_row - 1]);
|
||||
ret = ff_init_cabac_decoder(&lc->cc, s->data + s->sh.offset[(ctb_row)-1], s->sh.size[ctb_row - 1]);
|
||||
if (ret < 0)
|
||||
goto error;
|
||||
}
|
||||
|
||||
while(more_data && ctb_addr_ts < s->ps.sps->ctb_size) {
|
||||
@ -2433,15 +2440,15 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
|
||||
return 0;
|
||||
}
|
||||
|
||||
ff_hevc_cabac_init(s, ctb_addr_ts);
|
||||
ret = ff_hevc_cabac_init(s, ctb_addr_ts);
|
||||
if (ret < 0)
|
||||
goto error;
|
||||
hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
|
||||
more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0);
|
||||
|
||||
if (more_data < 0) {
|
||||
s->tab_slice_address[ctb_addr_rs] = -1;
|
||||
atomic_store(&s1->wpp_err, 1);
|
||||
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
|
||||
return more_data;
|
||||
ret = more_data;
|
||||
goto error;
|
||||
}
|
||||
|
||||
ctb_addr_ts++;
|
||||
@ -2471,6 +2478,11 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
|
||||
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
|
||||
|
||||
return 0;
|
||||
error:
|
||||
s->tab_slice_address[ctb_addr_rs] = -1;
|
||||
atomic_store(&s1->wpp_err, 1);
|
||||
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int hls_slice_data_wpp(HEVCContext *s, const H2645NAL *nal)
|
||||
|
@ -508,7 +508,7 @@ int ff_hevc_frame_rps(HEVCContext *s);
|
||||
int ff_hevc_slice_rpl(HEVCContext *s);
|
||||
|
||||
void ff_hevc_save_states(HEVCContext *s, int ctb_addr_ts);
|
||||
void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts);
|
||||
int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts);
|
||||
int ff_hevc_sao_merge_flag_decode(HEVCContext *s);
|
||||
int ff_hevc_sao_type_idx_decode(HEVCContext *s);
|
||||
int ff_hevc_sao_band_position_decode(HEVCContext *s);
|
||||
|
Loading…
Reference in New Issue
Block a user