mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-08 13:22:53 +02:00
c27c7b49dc
Fixes: out of array read Fixes: SIGSEGV_get_obu_bit_length_av1_parse Found-by: keval shah <skeval65@gmail.com> Reviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
175 lines
4.4 KiB
C
175 lines
4.4 KiB
C
/*
|
|
* AV1 common parsing code
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#ifndef AVCODEC_AV1_PARSE_H
|
|
#define AVCODEC_AV1_PARSE_H
|
|
|
|
#include <stdint.h>
|
|
|
|
#include "av1.h"
|
|
#include "avcodec.h"
|
|
#include "get_bits.h"
|
|
|
|
typedef struct AV1OBU {
|
|
/** Size of payload */
|
|
int size;
|
|
const uint8_t *data;
|
|
|
|
/**
|
|
* Size, in bits, of just the data, excluding the trailing_one_bit and
|
|
* any trailing padding.
|
|
*/
|
|
int size_bits;
|
|
|
|
/** Size of entire OBU, including header */
|
|
int raw_size;
|
|
const uint8_t *raw_data;
|
|
|
|
/** GetBitContext initialized to the start of the payload */
|
|
GetBitContext gb;
|
|
|
|
int type;
|
|
|
|
int temporal_id;
|
|
int spatial_id;
|
|
} AV1OBU;
|
|
|
|
/** An input packet split into OBUs */
|
|
typedef struct AV1Packet {
|
|
AV1OBU *obus;
|
|
int nb_obus;
|
|
int obus_allocated;
|
|
} AV1Packet;
|
|
|
|
/**
|
|
* Extract an OBU from a raw bitstream.
|
|
*
|
|
* @note This function does not copy or store any bitstream data. All
|
|
* the pointers in the AV1OBU structure will be valid as long
|
|
* as the input buffer also is.
|
|
*/
|
|
int ff_av1_extract_obu(AV1OBU *obu, const uint8_t *buf, int length,
|
|
void *logctx);
|
|
|
|
/**
|
|
* Split an input packet into OBUs.
|
|
*
|
|
* @note This function does not copy or store any bitstream data. All
|
|
* the pointers in the AV1Packet structure will be valid as
|
|
* long as the input buffer also is.
|
|
*/
|
|
int ff_av1_packet_split(AV1Packet *pkt, const uint8_t *buf, int length,
|
|
void *logctx);
|
|
|
|
/**
|
|
* Free all the allocated memory in the packet.
|
|
*/
|
|
void ff_av1_packet_uninit(AV1Packet *pkt);
|
|
|
|
static inline int64_t leb128(GetBitContext *gb) {
|
|
int64_t ret = 0;
|
|
int i;
|
|
|
|
for (i = 0; i < 8; i++) {
|
|
int byte = get_bits(gb, 8);
|
|
ret |= (int64_t)(byte & 0x7f) << (i * 7);
|
|
if (!(byte & 0x80))
|
|
break;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static inline int parse_obu_header(const uint8_t *buf, int buf_size,
|
|
int64_t *obu_size, int *start_pos, int *type,
|
|
int *temporal_id, int *spatial_id)
|
|
{
|
|
GetBitContext gb;
|
|
int ret, extension_flag, has_size_flag;
|
|
int64_t size;
|
|
|
|
ret = init_get_bits8(&gb, buf, FFMIN(buf_size, 2 + 8)); // OBU header fields + max leb128 length
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
if (get_bits1(&gb) != 0) // obu_forbidden_bit
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
*type = get_bits(&gb, 4);
|
|
extension_flag = get_bits1(&gb);
|
|
has_size_flag = get_bits1(&gb);
|
|
skip_bits1(&gb); // obu_reserved_1bit
|
|
|
|
if (extension_flag) {
|
|
*temporal_id = get_bits(&gb, 3);
|
|
*spatial_id = get_bits(&gb, 2);
|
|
skip_bits(&gb, 3); // extension_header_reserved_3bits
|
|
} else {
|
|
*temporal_id = *spatial_id = 0;
|
|
}
|
|
|
|
*obu_size = has_size_flag ? leb128(&gb)
|
|
: buf_size - 1 - extension_flag;
|
|
|
|
if (get_bits_left(&gb) < 0)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
*start_pos = get_bits_count(&gb) / 8;
|
|
|
|
size = *obu_size + *start_pos;
|
|
|
|
if (size > buf_size)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
return size;
|
|
}
|
|
|
|
static inline int get_obu_bit_length(const uint8_t *buf, int size, int type)
|
|
{
|
|
int v;
|
|
|
|
/* There are no trailing bits on these */
|
|
if (type == AV1_OBU_TILE_GROUP || type == AV1_OBU_FRAME) {
|
|
if (size > INT_MAX / 8)
|
|
return AVERROR(ERANGE);
|
|
else
|
|
return size * 8;
|
|
}
|
|
|
|
while (size > 0 && buf[size - 1] == 0)
|
|
size--;
|
|
|
|
if (!size)
|
|
return 0;
|
|
|
|
v = buf[size - 1];
|
|
|
|
if (size > INT_MAX / 8)
|
|
return AVERROR(ERANGE);
|
|
size *= 8;
|
|
|
|
/* Remove the trailing_one_bit and following trailing zeros */
|
|
if (v)
|
|
size -= ff_ctz(v) + 1;
|
|
|
|
return size;
|
|
}
|
|
|
|
#endif /* AVCODEC_AV1_PARSE_H */
|