From ef167512ab5da5c532f4a2212d8150ba9b81974b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Fri, 25 Jul 2025 18:51:16 +0200
Subject: [PATCH] avcodec/dovi_rpudec: parse RPU forward, don't try to find end
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of scanning backwards for the end of RPU payload, parse it and
report if we didn't land at the terminator byte.

Current expectation was that we can have additional zero bytes after RPU
payload, which were skipped to find playload end. That's not always the
case. So loosen this requirement.

This fixes files where there is additional non-zeroed padding after the
end of the RPU in NALU.

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavcodec/dovi_rpudec.c | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/libavcodec/dovi_rpudec.c b/libavcodec/dovi_rpudec.c
index c231d1c492..3b71965545 100644
--- a/libavcodec/dovi_rpudec.c
+++ b/libavcodec/dovi_rpudec.c
@@ -408,22 +408,6 @@ int ff_dovi_rpu_parse(DOVIContext *s, const uint8_t *rpu, size_t rpu_size,
         VALIDATE(rpu[0], 25, 25); /* NAL prefix */
         rpu++;
         rpu_size--;
-        /* Strip trailing padding bytes */
-        while (rpu_size && rpu[rpu_size - 1] == 0)
-            rpu_size--;
-    }
-
-    if (!rpu_size || rpu[rpu_size - 1] != 0x80)
-        return AVERROR_INVALIDDATA;
-
-    if (err_recognition & AV_EF_CRCCHECK) {
-        uint32_t crc = av_bswap32(av_crc(av_crc_get_table(AV_CRC_32_IEEE),
-                                  -1, rpu, rpu_size - 1)); /* exclude 0x80 */
-        if (crc) {
-            av_log(s->logctx, AV_LOG_ERROR, "RPU CRC mismatch: %X\n", crc);
-            if (err_recognition & AV_EF_EXPLODE)
-                return AVERROR_INVALIDDATA;
-        }
     }
 
     if ((ret = init_get_bits8(gb, rpu, rpu_size)) < 0)
@@ -738,5 +722,26 @@ int ff_dovi_rpu_parse(DOVIContext *s, const uint8_t *rpu, size_t rpu_size,
         av_refstruct_unref(&s->ext_blocks);
     }
 
+    align_get_bits(gb);
+    skip_bits(gb, 32); /* CRC32 */
+    if (get_bits(gb, 8) != 0x80) {
+        avpriv_request_sample(s->logctx, "Unexpected RPU format");
+        ff_dovi_ctx_unref(s);
+        return AVERROR_PATCHWELCOME;
+    }
+
+    if (err_recognition & AV_EF_CRCCHECK) {
+        rpu_size = get_bits_count(gb) / 8;
+        uint32_t crc = av_bswap32(av_crc(av_crc_get_table(AV_CRC_32_IEEE),
+                                  -1, rpu, rpu_size - 1)); /* exclude 0x80 */
+        if (crc) {
+            av_log(s->logctx, AV_LOG_ERROR, "RPU CRC mismatch: %X\n", crc);
+            if (err_recognition & AV_EF_EXPLODE) {
+                ff_dovi_ctx_unref(s);
+                return AVERROR_INVALIDDATA;
+            }
+        }
+    }
+
     return 0;
 }