1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00
FFmpeg/libavcodec/hevc_sei.c
Michael Niedermayer 0791a515d3 avcodec/hevc_sei: Check payload size in decode_nal_sei_message()
Fixes: out of array access
Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-02-10 12:28:29 +01:00

503 lines
17 KiB
C

/*
* HEVC Supplementary Enhancement Information messages
*
* Copyright (C) 2012 - 2013 Guillaume Martres
* Copyright (C) 2012 - 2013 Gildas Cocherel
* Copyright (C) 2013 Vittorio Giovara
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "atsc_a53.h"
#include "dynamic_hdr10_plus.h"
#include "golomb.h"
#include "hevc_ps.h"
#include "hevc_sei.h"
static int decode_nal_sei_decoded_picture_hash(HEVCSEIPictureHash *s, GetBitContext *gb)
{
int cIdx, i;
uint8_t hash_type;
//uint16_t picture_crc;
//uint32_t picture_checksum;
hash_type = get_bits(gb, 8);
for (cIdx = 0; cIdx < 3/*((s->sps->chroma_format_idc == 0) ? 1 : 3)*/; cIdx++) {
if (hash_type == 0) {
s->is_md5 = 1;
for (i = 0; i < 16; i++)
s->md5[cIdx][i] = get_bits(gb, 8);
} else if (hash_type == 1) {
// picture_crc = get_bits(gb, 16);
skip_bits(gb, 16);
} else if (hash_type == 2) {
// picture_checksum = get_bits_long(gb, 32);
skip_bits(gb, 32);
}
}
return 0;
}
static int decode_nal_sei_mastering_display_info(HEVCSEIMasteringDisplay *s, GetBitContext *gb)
{
int i;
// Mastering primaries
for (i = 0; i < 3; i++) {
s->display_primaries[i][0] = get_bits(gb, 16);
s->display_primaries[i][1] = get_bits(gb, 16);
}
// White point (x, y)
s->white_point[0] = get_bits(gb, 16);
s->white_point[1] = get_bits(gb, 16);
// Max and min luminance of mastering display
s->max_luminance = get_bits_long(gb, 32);
s->min_luminance = get_bits_long(gb, 32);
// As this SEI message comes before the first frame that references it,
// initialize the flag to 2 and decrement on IRAP access unit so it
// persists for the coded video sequence (e.g., between two IRAPs)
s->present = 2;
return 0;
}
static int decode_nal_sei_content_light_info(HEVCSEIContentLight *s, GetBitContext *gb)
{
// Max and average light levels
s->max_content_light_level = get_bits(gb, 16);
s->max_pic_average_light_level = get_bits(gb, 16);
// As this SEI message comes before the first frame that references it,
// initialize the flag to 2 and decrement on IRAP access unit so it
// persists for the coded video sequence (e.g., between two IRAPs)
s->present = 2;
return 0;
}
static int decode_nal_sei_frame_packing_arrangement(HEVCSEIFramePacking *s, GetBitContext *gb)
{
get_ue_golomb_long(gb); // frame_packing_arrangement_id
s->present = !get_bits1(gb);
if (s->present) {
s->arrangement_type = get_bits(gb, 7);
s->quincunx_subsampling = get_bits1(gb);
s->content_interpretation_type = get_bits(gb, 6);
// spatial_flipping_flag, frame0_flipped_flag, field_views_flag
skip_bits(gb, 3);
s->current_frame_is_frame0_flag = get_bits1(gb);
// frame0_self_contained_flag, frame1_self_contained_flag
skip_bits(gb, 2);
if (!s->quincunx_subsampling && s->arrangement_type != 5)
skip_bits(gb, 16); // frame[01]_grid_position_[xy]
skip_bits(gb, 8); // frame_packing_arrangement_reserved_byte
skip_bits1(gb); // frame_packing_arrangement_persistence_flag
}
skip_bits1(gb); // upsampled_aspect_ratio_flag
return 0;
}
static int decode_nal_sei_display_orientation(HEVCSEIDisplayOrientation *s, GetBitContext *gb)
{
s->present = !get_bits1(gb);
if (s->present) {
s->hflip = get_bits1(gb); // hor_flip
s->vflip = get_bits1(gb); // ver_flip
s->anticlockwise_rotation = get_bits(gb, 16);
skip_bits1(gb); // display_orientation_persistence_flag
}
return 0;
}
static int decode_nal_sei_pic_timing(HEVCSEI *s, GetBitContext *gb, const HEVCParamSets *ps,
void *logctx, int size)
{
HEVCSEIPictureTiming *h = &s->picture_timing;
HEVCSPS *sps;
if (!ps->sps_list[s->active_seq_parameter_set_id])
return(AVERROR(ENOMEM));
sps = (HEVCSPS*)ps->sps_list[s->active_seq_parameter_set_id]->data;
if (sps->vui.frame_field_info_present_flag) {
int pic_struct = get_bits(gb, 4);
h->picture_struct = AV_PICTURE_STRUCTURE_UNKNOWN;
if (pic_struct == 2 || pic_struct == 10 || pic_struct == 12) {
av_log(logctx, AV_LOG_DEBUG, "BOTTOM Field\n");
h->picture_struct = AV_PICTURE_STRUCTURE_BOTTOM_FIELD;
} else if (pic_struct == 1 || pic_struct == 9 || pic_struct == 11) {
av_log(logctx, AV_LOG_DEBUG, "TOP Field\n");
h->picture_struct = AV_PICTURE_STRUCTURE_TOP_FIELD;
} else if (pic_struct == 7) {
av_log(logctx, AV_LOG_DEBUG, "Frame/Field Doubling\n");
h->picture_struct = HEVC_SEI_PIC_STRUCT_FRAME_DOUBLING;
} else if (pic_struct == 8) {
av_log(logctx, AV_LOG_DEBUG, "Frame/Field Tripling\n");
h->picture_struct = HEVC_SEI_PIC_STRUCT_FRAME_TRIPLING;
}
get_bits(gb, 2); // source_scan_type
get_bits(gb, 1); // duplicate_flag
skip_bits1(gb);
size--;
}
skip_bits_long(gb, 8 * size);
return 0;
}
static int decode_registered_user_data_closed_caption(HEVCSEIA53Caption *s, GetBitContext *gb,
int size)
{
int ret;
if (size < 3)
return AVERROR_INVALIDDATA;
ret = ff_parse_a53_cc(&s->buf_ref, gb->buffer + get_bits_count(gb) / 8, size);
if (ret < 0)
return ret;
skip_bits_long(gb, size * 8);
return 0;
}
static int decode_nal_sei_user_data_unregistered(HEVCSEIUnregistered *s, GetBitContext *gb,
int size)
{
AVBufferRef *buf_ref, **tmp;
if (size < 16 || size >= INT_MAX - 1)
return AVERROR_INVALIDDATA;
tmp = av_realloc_array(s->buf_ref, s->nb_buf_ref + 1, sizeof(*s->buf_ref));
if (!tmp)
return AVERROR(ENOMEM);
s->buf_ref = tmp;
buf_ref = av_buffer_alloc(size + 1);
if (!buf_ref)
return AVERROR(ENOMEM);
for (int i = 0; i < size; i++)
buf_ref->data[i] = get_bits(gb, 8);
buf_ref->data[size] = 0;
buf_ref->size = size;
s->buf_ref[s->nb_buf_ref++] = buf_ref;
return 0;
}
static int decode_registered_user_data_dynamic_hdr_plus(HEVCSEIDynamicHDRPlus *s,
GetBitContext *gb, int size)
{
size_t meta_size;
int err;
AVDynamicHDRPlus *metadata = av_dynamic_hdr_plus_alloc(&meta_size);
if (!metadata)
return AVERROR(ENOMEM);
err = ff_parse_itu_t_t35_to_dynamic_hdr10_plus(metadata,
gb->buffer + get_bits_count(gb) / 8, size);
if (err < 0) {
av_free(metadata);
return err;
}
av_buffer_unref(&s->info);
s->info = av_buffer_create((uint8_t *)metadata, meta_size, NULL, NULL, 0);
if (!s->info) {
av_free(metadata);
return AVERROR(ENOMEM);
}
skip_bits_long(gb, size * 8);
return 0;
}
static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitContext *gb,
void *logctx, int size)
{
int country_code, provider_code;
if (size < 3)
return AVERROR_INVALIDDATA;
size -= 3;
country_code = get_bits(gb, 8);
if (country_code == 0xFF) {
if (size < 1)
return AVERROR_INVALIDDATA;
skip_bits(gb, 8);
size--;
}
if (country_code != 0xB5) { // usa_country_code
av_log(logctx, AV_LOG_VERBOSE,
"Unsupported User Data Registered ITU-T T35 SEI message (country_code = %d)\n",
country_code);
goto end;
}
provider_code = get_bits(gb, 16);
switch (provider_code) {
case 0x3C: { // smpte_provider_code
// A/341 Amendment - 2094-40
const uint16_t smpte2094_40_provider_oriented_code = 0x0001;
const uint8_t smpte2094_40_application_identifier = 0x04;
uint16_t provider_oriented_code;
uint8_t application_identifier;
if (size < 3)
return AVERROR_INVALIDDATA;
size -= 3;
provider_oriented_code = get_bits(gb, 16);
application_identifier = get_bits(gb, 8);
if (provider_oriented_code == smpte2094_40_provider_oriented_code &&
application_identifier == smpte2094_40_application_identifier) {
return decode_registered_user_data_dynamic_hdr_plus(&s->dynamic_hdr_plus, gb, size);
}
break;
}
case 0x31: { // atsc_provider_code
uint32_t user_identifier;
if (size < 4)
return AVERROR_INVALIDDATA;
size -= 4;
user_identifier = get_bits_long(gb, 32);
switch (user_identifier) {
case MKBETAG('G', 'A', '9', '4'):
return decode_registered_user_data_closed_caption(&s->a53_caption, gb, size);
default:
av_log(logctx, AV_LOG_VERBOSE,
"Unsupported User Data Registered ITU-T T35 SEI message (atsc user_identifier = 0x%04x)\n",
user_identifier);
break;
}
break;
}
default:
av_log(logctx, AV_LOG_VERBOSE,
"Unsupported User Data Registered ITU-T T35 SEI message (provider_code = %d)\n",
provider_code);
break;
}
end:
skip_bits_long(gb, size * 8);
return 0;
}
static int decode_nal_sei_active_parameter_sets(HEVCSEI *s, GetBitContext *gb, void *logctx)
{
int num_sps_ids_minus1;
int i;
unsigned active_seq_parameter_set_id;
get_bits(gb, 4); // active_video_parameter_set_id
get_bits(gb, 1); // self_contained_cvs_flag
get_bits(gb, 1); // num_sps_ids_minus1
num_sps_ids_minus1 = get_ue_golomb_long(gb); // num_sps_ids_minus1
if (num_sps_ids_minus1 < 0 || num_sps_ids_minus1 > 15) {
av_log(logctx, AV_LOG_ERROR, "num_sps_ids_minus1 %d invalid\n", num_sps_ids_minus1);
return AVERROR_INVALIDDATA;
}
active_seq_parameter_set_id = get_ue_golomb_long(gb);
if (active_seq_parameter_set_id >= HEVC_MAX_SPS_COUNT) {
av_log(logctx, AV_LOG_ERROR, "active_parameter_set_id %d invalid\n", active_seq_parameter_set_id);
return AVERROR_INVALIDDATA;
}
s->active_seq_parameter_set_id = active_seq_parameter_set_id;
for (i = 1; i <= num_sps_ids_minus1; i++)
get_ue_golomb_long(gb); // active_seq_parameter_set_id[i]
return 0;
}
static int decode_nal_sei_alternative_transfer(HEVCSEIAlternativeTransfer *s, GetBitContext *gb)
{
s->present = 1;
s->preferred_transfer_characteristics = get_bits(gb, 8);
return 0;
}
static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb)
{
s->num_clock_ts = get_bits(gb, 2);
for (int i = 0; i < s->num_clock_ts; i++) {
s->clock_timestamp_flag[i] = get_bits(gb, 1);
if (s->clock_timestamp_flag[i]) {
s->units_field_based_flag[i] = get_bits(gb, 1);
s->counting_type[i] = get_bits(gb, 5);
s->full_timestamp_flag[i] = get_bits(gb, 1);
s->discontinuity_flag[i] = get_bits(gb, 1);
s->cnt_dropped_flag[i] = get_bits(gb, 1);
s->n_frames[i] = get_bits(gb, 9);
if (s->full_timestamp_flag[i]) {
s->seconds_value[i] = av_clip(get_bits(gb, 6), 0, 59);
s->minutes_value[i] = av_clip(get_bits(gb, 6), 0, 59);
s->hours_value[i] = av_clip(get_bits(gb, 5), 0, 23);
} else {
s->seconds_flag[i] = get_bits(gb, 1);
if (s->seconds_flag[i]) {
s->seconds_value[i] = av_clip(get_bits(gb, 6), 0, 59);
s->minutes_flag[i] = get_bits(gb, 1);
if (s->minutes_flag[i]) {
s->minutes_value[i] = av_clip(get_bits(gb, 6), 0, 59);
s->hours_flag[i] = get_bits(gb, 1);
if (s->hours_flag[i]) {
s->hours_value[i] = av_clip(get_bits(gb, 5), 0, 23);
}
}
}
}
s->time_offset_length[i] = get_bits(gb, 5);
if (s->time_offset_length[i] > 0) {
s->time_offset_value[i] = get_bits(gb, s->time_offset_length[i]);
}
}
}
s->present = 1;
return 0;
}
static int decode_nal_sei_prefix(GetBitContext *gb, void *logctx, HEVCSEI *s,
const HEVCParamSets *ps, int type, int size)
{
switch (type) {
case 256: // Mismatched value from HM 8.1
return decode_nal_sei_decoded_picture_hash(&s->picture_hash, gb);
case SEI_TYPE_FRAME_PACKING_ARRANGEMENT:
return decode_nal_sei_frame_packing_arrangement(&s->frame_packing, gb);
case SEI_TYPE_DISPLAY_ORIENTATION:
return decode_nal_sei_display_orientation(&s->display_orientation, gb);
case SEI_TYPE_PIC_TIMING:
return decode_nal_sei_pic_timing(s, gb, ps, logctx, size);
case SEI_TYPE_MASTERING_DISPLAY_COLOUR_VOLUME:
return decode_nal_sei_mastering_display_info(&s->mastering_display, gb);
case SEI_TYPE_CONTENT_LIGHT_LEVEL_INFO:
return decode_nal_sei_content_light_info(&s->content_light, gb);
case SEI_TYPE_ACTIVE_PARAMETER_SETS:
return decode_nal_sei_active_parameter_sets(s, gb, logctx);
case SEI_TYPE_USER_DATA_REGISTERED_ITU_T_T35:
return decode_nal_sei_user_data_registered_itu_t_t35(s, gb, logctx, size);
case SEI_TYPE_USER_DATA_UNREGISTERED:
return decode_nal_sei_user_data_unregistered(&s->unregistered, gb, size);
case SEI_TYPE_ALTERNATIVE_TRANSFER_CHARACTERISTICS:
return decode_nal_sei_alternative_transfer(&s->alternative_transfer, gb);
case SEI_TYPE_TIME_CODE:
return decode_nal_sei_timecode(&s->timecode, gb);
default:
av_log(logctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type);
skip_bits_long(gb, 8 * size);
return 0;
}
}
static int decode_nal_sei_suffix(GetBitContext *gb, void *logctx, HEVCSEI *s,
int type, int size)
{
switch (type) {
case SEI_TYPE_DECODED_PICTURE_HASH:
return decode_nal_sei_decoded_picture_hash(&s->picture_hash, gb);
default:
av_log(logctx, AV_LOG_DEBUG, "Skipped SUFFIX SEI %d\n", type);
skip_bits_long(gb, 8 * size);
return 0;
}
}
static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s,
const HEVCParamSets *ps, int nal_unit_type)
{
int payload_type = 0;
int payload_size = 0;
int byte = 0xFF;
av_log(logctx, AV_LOG_DEBUG, "Decoding SEI\n");
while (byte == 0xFF) {
if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8);
payload_type += byte;
}
byte = 0xFF;
while (byte == 0xFF) {
if (get_bits_left(gb) < 8 + 8LL*payload_size)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8);
payload_size += byte;
}
if (get_bits_left(gb) < 8LL*payload_size)
return AVERROR_INVALIDDATA;
if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
} else { /* nal_unit_type == NAL_SEI_SUFFIX */
return decode_nal_sei_suffix(gb, logctx, s, payload_type, payload_size);
}
}
static int more_rbsp_data(GetBitContext *gb)
{
return get_bits_left(gb) > 0 && show_bits(gb, 8) != 0x80;
}
int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx, HEVCSEI *s,
const HEVCParamSets *ps, int type)
{
int ret;
do {
ret = decode_nal_sei_message(gb, logctx, s, ps, type);
if (ret < 0)
return ret;
} while (more_rbsp_data(gb));
return 1;
}
void ff_hevc_reset_sei(HEVCSEI *s)
{
av_buffer_unref(&s->a53_caption.buf_ref);
for (int i = 0; i < s->unregistered.nb_buf_ref; i++)
av_buffer_unref(&s->unregistered.buf_ref[i]);
s->unregistered.nb_buf_ref = 0;
av_freep(&s->unregistered.buf_ref);
av_buffer_unref(&s->dynamic_hdr_plus.info);
}