Slices that end after their header (meaning slices after the header
without any data before the rbsp_stop_one_bit or possibly without any
rbsp_stop_one_bit at all) are invalid and are now dropped. This ensures
that one doesn't run into two asserts in cbs_h2645_write_slice_data().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: 19629/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5676822528524288
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 66fac1ff7ccbc4fb6a3aa6b9a95de7b6bc31d14e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Trailing zeroes are already discarded when splitting a fragment, which
makes the code to remove them when decomposing slices dead code.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8f701932b39a6345f2a8bab85f48d555a98802e3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet
the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice,
as parameter sets with invalid ids were already filtered out during
reading.
Found via PVS-Studio (see ticket #8156).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3333c3c67e8825a4468120bb8aa0943c72c03f3)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
cbs_h2645_read_more_rbsp_data does not handle malformed input very well:
1. If there were <= 8 bits left in the bitreader, these bits were read
via show_bits. But show_bits requires the number of bits to be read to
be > 0 (internally it shifts by 32 - number of bits to be read which is
undefined behaviour if said number is zero; there is also an assert for
this, but it is only an av_assert2). Furthermore, in this case a shift
by -1 was performed which is of course undefined behaviour, too.
2. If there were > 0 and <= 8 bits left and all of them were zero
(this can only happen for defective input), it was reported that there
was further RBSP data.
This can lead to an infinite loop in H.265's cbs_h265_read_extension_data
corresponding to the [vsp]ps_extension_data_flag syntax elements. If the
relevant flag indicates the (potential) occurence of these syntax elements,
while all bits after this flag are zero, cbs_h2645_read_more_rbsp_data
always returns 1 on x86. Given that a checked bitstream reader is used,
we are also not "saved" by an overflow in the bitstream reader's index.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d4035ca849bdb90e95c87e2737a99ea657be0716)
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 3dc6adf326c8cd6c7fc830ccb8def8772835c676)
64c50c0e978cd556dc2da238dfe0bb367e7c1ab9 declared support for decomposing
them but omitted to implement it; this adds an implementation.
Also do the same for end-of-stream NAL units, since they are equivalent.
Similar to H264, cbs_h265_{read, write}_nal_unit() can handle HEVC
prefix SEI NAL units. Currently mastering display colour volume SEI
message is added only, we may add more SEI message if needed later
Signed-off-by: Haihao Xiang <haihao.xiang@intel.com>
Removes unnecessary data copies, and partially fixes potential issues
with dangling references held in said lists.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
This saves one malloc + memcpy per packet
The CodedBitstreamFragment buffer is padded to follow the requirements
of AVPacket.
Reviewed-by: jkqxz
Signed-off-by: James Almer <jamrial@gmail.com>
* commit 'eccc03c8fbc603a0a3257df66f0705f74fe2581a':
cbs_h264: Add support for filler NAL units
Some bitstream -> get_bits.
Merged-by: Mark Thompson <sw@jkqxz.net>
* commit 'a2ca8ed903b435446031a8a0792ca535e6ee2913':
cbs_h264: Add utility functions to insert/delete SEI messages
Merged-by: Mark Thompson <sw@jkqxz.net>
* commit 'ce5870a3a8f2b10668ee4f04c2ae0287f66f31b2':
cbs: Refcount all the things!
Some changes for bitstream API.
Merged-by: Mark Thompson <sw@jkqxz.net>
* commit '0e4c166cdd6446522a085dd9731967d09ac71f72':
cbs_h2645: Remove active ps references when it is replaced
Merged-by: Mark Thompson <sw@jkqxz.net>
This makes it easier for users of the CBS API to get alloc/free right -
all subelements use the buffer API so that it's clear how to free them.
It also allows eliding some redundant copies: the packet -> fragment copy
disappears after this change if the input packet is refcounted, and more
codec-specific cases are now possible (but not included in this patch).
(cherry picked from commit 867381b8b51fa21fa2b8f071f508f3d39cc9c1f0)
(cherry picked from commit f763489364416bb6866adc4f4a96012dd2ca1bd0)
(cherry picked from commit 067a9ddeb8feff1f724856f0054930c55219f76b)
(cherry picked from commit acf06f45441be24c5cbae0920579cd69427326a1)
(cherry picked from commit 768eb9182e94a94bc2ef46f565a0dac7afef3b57)
(cherry picked from commit e7f64191b27bcf37cbf7006606f0f439c6cdc24f)
