mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
0791a515d3
Fixes: out of array access Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
503 lines
17 KiB
C
503 lines
17 KiB
C
/*
|
|
* HEVC Supplementary Enhancement Information messages
|
|
*
|
|
* Copyright (C) 2012 - 2013 Guillaume Martres
|
|
* Copyright (C) 2012 - 2013 Gildas Cocherel
|
|
* Copyright (C) 2013 Vittorio Giovara
|
|
*
|
|
* This file is part of FFmpeg.
|
|
*
|
|
* FFmpeg is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* FFmpeg is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with FFmpeg; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#include "atsc_a53.h"
|
|
#include "dynamic_hdr10_plus.h"
|
|
#include "golomb.h"
|
|
#include "hevc_ps.h"
|
|
#include "hevc_sei.h"
|
|
|
|
static int decode_nal_sei_decoded_picture_hash(HEVCSEIPictureHash *s, GetBitContext *gb)
|
|
{
|
|
int cIdx, i;
|
|
uint8_t hash_type;
|
|
//uint16_t picture_crc;
|
|
//uint32_t picture_checksum;
|
|
hash_type = get_bits(gb, 8);
|
|
|
|
for (cIdx = 0; cIdx < 3/*((s->sps->chroma_format_idc == 0) ? 1 : 3)*/; cIdx++) {
|
|
if (hash_type == 0) {
|
|
s->is_md5 = 1;
|
|
for (i = 0; i < 16; i++)
|
|
s->md5[cIdx][i] = get_bits(gb, 8);
|
|
} else if (hash_type == 1) {
|
|
// picture_crc = get_bits(gb, 16);
|
|
skip_bits(gb, 16);
|
|
} else if (hash_type == 2) {
|
|
// picture_checksum = get_bits_long(gb, 32);
|
|
skip_bits(gb, 32);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_mastering_display_info(HEVCSEIMasteringDisplay *s, GetBitContext *gb)
|
|
{
|
|
int i;
|
|
// Mastering primaries
|
|
for (i = 0; i < 3; i++) {
|
|
s->display_primaries[i][0] = get_bits(gb, 16);
|
|
s->display_primaries[i][1] = get_bits(gb, 16);
|
|
}
|
|
// White point (x, y)
|
|
s->white_point[0] = get_bits(gb, 16);
|
|
s->white_point[1] = get_bits(gb, 16);
|
|
|
|
// Max and min luminance of mastering display
|
|
s->max_luminance = get_bits_long(gb, 32);
|
|
s->min_luminance = get_bits_long(gb, 32);
|
|
|
|
// As this SEI message comes before the first frame that references it,
|
|
// initialize the flag to 2 and decrement on IRAP access unit so it
|
|
// persists for the coded video sequence (e.g., between two IRAPs)
|
|
s->present = 2;
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_content_light_info(HEVCSEIContentLight *s, GetBitContext *gb)
|
|
{
|
|
// Max and average light levels
|
|
s->max_content_light_level = get_bits(gb, 16);
|
|
s->max_pic_average_light_level = get_bits(gb, 16);
|
|
// As this SEI message comes before the first frame that references it,
|
|
// initialize the flag to 2 and decrement on IRAP access unit so it
|
|
// persists for the coded video sequence (e.g., between two IRAPs)
|
|
s->present = 2;
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_frame_packing_arrangement(HEVCSEIFramePacking *s, GetBitContext *gb)
|
|
{
|
|
get_ue_golomb_long(gb); // frame_packing_arrangement_id
|
|
s->present = !get_bits1(gb);
|
|
|
|
if (s->present) {
|
|
s->arrangement_type = get_bits(gb, 7);
|
|
s->quincunx_subsampling = get_bits1(gb);
|
|
s->content_interpretation_type = get_bits(gb, 6);
|
|
|
|
// spatial_flipping_flag, frame0_flipped_flag, field_views_flag
|
|
skip_bits(gb, 3);
|
|
s->current_frame_is_frame0_flag = get_bits1(gb);
|
|
// frame0_self_contained_flag, frame1_self_contained_flag
|
|
skip_bits(gb, 2);
|
|
|
|
if (!s->quincunx_subsampling && s->arrangement_type != 5)
|
|
skip_bits(gb, 16); // frame[01]_grid_position_[xy]
|
|
skip_bits(gb, 8); // frame_packing_arrangement_reserved_byte
|
|
skip_bits1(gb); // frame_packing_arrangement_persistence_flag
|
|
}
|
|
skip_bits1(gb); // upsampled_aspect_ratio_flag
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_display_orientation(HEVCSEIDisplayOrientation *s, GetBitContext *gb)
|
|
{
|
|
s->present = !get_bits1(gb);
|
|
|
|
if (s->present) {
|
|
s->hflip = get_bits1(gb); // hor_flip
|
|
s->vflip = get_bits1(gb); // ver_flip
|
|
|
|
s->anticlockwise_rotation = get_bits(gb, 16);
|
|
skip_bits1(gb); // display_orientation_persistence_flag
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_pic_timing(HEVCSEI *s, GetBitContext *gb, const HEVCParamSets *ps,
|
|
void *logctx, int size)
|
|
{
|
|
HEVCSEIPictureTiming *h = &s->picture_timing;
|
|
HEVCSPS *sps;
|
|
|
|
if (!ps->sps_list[s->active_seq_parameter_set_id])
|
|
return(AVERROR(ENOMEM));
|
|
sps = (HEVCSPS*)ps->sps_list[s->active_seq_parameter_set_id]->data;
|
|
|
|
if (sps->vui.frame_field_info_present_flag) {
|
|
int pic_struct = get_bits(gb, 4);
|
|
h->picture_struct = AV_PICTURE_STRUCTURE_UNKNOWN;
|
|
if (pic_struct == 2 || pic_struct == 10 || pic_struct == 12) {
|
|
av_log(logctx, AV_LOG_DEBUG, "BOTTOM Field\n");
|
|
h->picture_struct = AV_PICTURE_STRUCTURE_BOTTOM_FIELD;
|
|
} else if (pic_struct == 1 || pic_struct == 9 || pic_struct == 11) {
|
|
av_log(logctx, AV_LOG_DEBUG, "TOP Field\n");
|
|
h->picture_struct = AV_PICTURE_STRUCTURE_TOP_FIELD;
|
|
} else if (pic_struct == 7) {
|
|
av_log(logctx, AV_LOG_DEBUG, "Frame/Field Doubling\n");
|
|
h->picture_struct = HEVC_SEI_PIC_STRUCT_FRAME_DOUBLING;
|
|
} else if (pic_struct == 8) {
|
|
av_log(logctx, AV_LOG_DEBUG, "Frame/Field Tripling\n");
|
|
h->picture_struct = HEVC_SEI_PIC_STRUCT_FRAME_TRIPLING;
|
|
}
|
|
get_bits(gb, 2); // source_scan_type
|
|
get_bits(gb, 1); // duplicate_flag
|
|
skip_bits1(gb);
|
|
size--;
|
|
}
|
|
skip_bits_long(gb, 8 * size);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int decode_registered_user_data_closed_caption(HEVCSEIA53Caption *s, GetBitContext *gb,
|
|
int size)
|
|
{
|
|
int ret;
|
|
|
|
if (size < 3)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
ret = ff_parse_a53_cc(&s->buf_ref, gb->buffer + get_bits_count(gb) / 8, size);
|
|
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
skip_bits_long(gb, size * 8);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_user_data_unregistered(HEVCSEIUnregistered *s, GetBitContext *gb,
|
|
int size)
|
|
{
|
|
AVBufferRef *buf_ref, **tmp;
|
|
|
|
if (size < 16 || size >= INT_MAX - 1)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
tmp = av_realloc_array(s->buf_ref, s->nb_buf_ref + 1, sizeof(*s->buf_ref));
|
|
if (!tmp)
|
|
return AVERROR(ENOMEM);
|
|
s->buf_ref = tmp;
|
|
|
|
buf_ref = av_buffer_alloc(size + 1);
|
|
if (!buf_ref)
|
|
return AVERROR(ENOMEM);
|
|
|
|
for (int i = 0; i < size; i++)
|
|
buf_ref->data[i] = get_bits(gb, 8);
|
|
buf_ref->data[size] = 0;
|
|
buf_ref->size = size;
|
|
s->buf_ref[s->nb_buf_ref++] = buf_ref;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int decode_registered_user_data_dynamic_hdr_plus(HEVCSEIDynamicHDRPlus *s,
|
|
GetBitContext *gb, int size)
|
|
{
|
|
size_t meta_size;
|
|
int err;
|
|
AVDynamicHDRPlus *metadata = av_dynamic_hdr_plus_alloc(&meta_size);
|
|
if (!metadata)
|
|
return AVERROR(ENOMEM);
|
|
|
|
err = ff_parse_itu_t_t35_to_dynamic_hdr10_plus(metadata,
|
|
gb->buffer + get_bits_count(gb) / 8, size);
|
|
if (err < 0) {
|
|
av_free(metadata);
|
|
return err;
|
|
}
|
|
|
|
av_buffer_unref(&s->info);
|
|
s->info = av_buffer_create((uint8_t *)metadata, meta_size, NULL, NULL, 0);
|
|
if (!s->info) {
|
|
av_free(metadata);
|
|
return AVERROR(ENOMEM);
|
|
}
|
|
|
|
skip_bits_long(gb, size * 8);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitContext *gb,
|
|
void *logctx, int size)
|
|
{
|
|
int country_code, provider_code;
|
|
|
|
if (size < 3)
|
|
return AVERROR_INVALIDDATA;
|
|
size -= 3;
|
|
|
|
country_code = get_bits(gb, 8);
|
|
if (country_code == 0xFF) {
|
|
if (size < 1)
|
|
return AVERROR_INVALIDDATA;
|
|
|
|
skip_bits(gb, 8);
|
|
size--;
|
|
}
|
|
|
|
if (country_code != 0xB5) { // usa_country_code
|
|
av_log(logctx, AV_LOG_VERBOSE,
|
|
"Unsupported User Data Registered ITU-T T35 SEI message (country_code = %d)\n",
|
|
country_code);
|
|
goto end;
|
|
}
|
|
|
|
provider_code = get_bits(gb, 16);
|
|
|
|
switch (provider_code) {
|
|
case 0x3C: { // smpte_provider_code
|
|
// A/341 Amendment - 2094-40
|
|
const uint16_t smpte2094_40_provider_oriented_code = 0x0001;
|
|
const uint8_t smpte2094_40_application_identifier = 0x04;
|
|
uint16_t provider_oriented_code;
|
|
uint8_t application_identifier;
|
|
|
|
if (size < 3)
|
|
return AVERROR_INVALIDDATA;
|
|
size -= 3;
|
|
|
|
provider_oriented_code = get_bits(gb, 16);
|
|
application_identifier = get_bits(gb, 8);
|
|
if (provider_oriented_code == smpte2094_40_provider_oriented_code &&
|
|
application_identifier == smpte2094_40_application_identifier) {
|
|
return decode_registered_user_data_dynamic_hdr_plus(&s->dynamic_hdr_plus, gb, size);
|
|
}
|
|
break;
|
|
}
|
|
case 0x31: { // atsc_provider_code
|
|
uint32_t user_identifier;
|
|
|
|
if (size < 4)
|
|
return AVERROR_INVALIDDATA;
|
|
size -= 4;
|
|
|
|
user_identifier = get_bits_long(gb, 32);
|
|
switch (user_identifier) {
|
|
case MKBETAG('G', 'A', '9', '4'):
|
|
return decode_registered_user_data_closed_caption(&s->a53_caption, gb, size);
|
|
default:
|
|
av_log(logctx, AV_LOG_VERBOSE,
|
|
"Unsupported User Data Registered ITU-T T35 SEI message (atsc user_identifier = 0x%04x)\n",
|
|
user_identifier);
|
|
break;
|
|
}
|
|
break;
|
|
}
|
|
default:
|
|
av_log(logctx, AV_LOG_VERBOSE,
|
|
"Unsupported User Data Registered ITU-T T35 SEI message (provider_code = %d)\n",
|
|
provider_code);
|
|
break;
|
|
}
|
|
|
|
end:
|
|
skip_bits_long(gb, size * 8);
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_active_parameter_sets(HEVCSEI *s, GetBitContext *gb, void *logctx)
|
|
{
|
|
int num_sps_ids_minus1;
|
|
int i;
|
|
unsigned active_seq_parameter_set_id;
|
|
|
|
get_bits(gb, 4); // active_video_parameter_set_id
|
|
get_bits(gb, 1); // self_contained_cvs_flag
|
|
get_bits(gb, 1); // num_sps_ids_minus1
|
|
num_sps_ids_minus1 = get_ue_golomb_long(gb); // num_sps_ids_minus1
|
|
|
|
if (num_sps_ids_minus1 < 0 || num_sps_ids_minus1 > 15) {
|
|
av_log(logctx, AV_LOG_ERROR, "num_sps_ids_minus1 %d invalid\n", num_sps_ids_minus1);
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
|
|
active_seq_parameter_set_id = get_ue_golomb_long(gb);
|
|
if (active_seq_parameter_set_id >= HEVC_MAX_SPS_COUNT) {
|
|
av_log(logctx, AV_LOG_ERROR, "active_parameter_set_id %d invalid\n", active_seq_parameter_set_id);
|
|
return AVERROR_INVALIDDATA;
|
|
}
|
|
s->active_seq_parameter_set_id = active_seq_parameter_set_id;
|
|
|
|
for (i = 1; i <= num_sps_ids_minus1; i++)
|
|
get_ue_golomb_long(gb); // active_seq_parameter_set_id[i]
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_alternative_transfer(HEVCSEIAlternativeTransfer *s, GetBitContext *gb)
|
|
{
|
|
s->present = 1;
|
|
s->preferred_transfer_characteristics = get_bits(gb, 8);
|
|
return 0;
|
|
}
|
|
|
|
static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb)
|
|
{
|
|
s->num_clock_ts = get_bits(gb, 2);
|
|
|
|
for (int i = 0; i < s->num_clock_ts; i++) {
|
|
s->clock_timestamp_flag[i] = get_bits(gb, 1);
|
|
|
|
if (s->clock_timestamp_flag[i]) {
|
|
s->units_field_based_flag[i] = get_bits(gb, 1);
|
|
s->counting_type[i] = get_bits(gb, 5);
|
|
s->full_timestamp_flag[i] = get_bits(gb, 1);
|
|
s->discontinuity_flag[i] = get_bits(gb, 1);
|
|
s->cnt_dropped_flag[i] = get_bits(gb, 1);
|
|
|
|
s->n_frames[i] = get_bits(gb, 9);
|
|
|
|
if (s->full_timestamp_flag[i]) {
|
|
s->seconds_value[i] = av_clip(get_bits(gb, 6), 0, 59);
|
|
s->minutes_value[i] = av_clip(get_bits(gb, 6), 0, 59);
|
|
s->hours_value[i] = av_clip(get_bits(gb, 5), 0, 23);
|
|
} else {
|
|
s->seconds_flag[i] = get_bits(gb, 1);
|
|
if (s->seconds_flag[i]) {
|
|
s->seconds_value[i] = av_clip(get_bits(gb, 6), 0, 59);
|
|
s->minutes_flag[i] = get_bits(gb, 1);
|
|
if (s->minutes_flag[i]) {
|
|
s->minutes_value[i] = av_clip(get_bits(gb, 6), 0, 59);
|
|
s->hours_flag[i] = get_bits(gb, 1);
|
|
if (s->hours_flag[i]) {
|
|
s->hours_value[i] = av_clip(get_bits(gb, 5), 0, 23);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
s->time_offset_length[i] = get_bits(gb, 5);
|
|
if (s->time_offset_length[i] > 0) {
|
|
s->time_offset_value[i] = get_bits(gb, s->time_offset_length[i]);
|
|
}
|
|
}
|
|
}
|
|
|
|
s->present = 1;
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int decode_nal_sei_prefix(GetBitContext *gb, void *logctx, HEVCSEI *s,
|
|
const HEVCParamSets *ps, int type, int size)
|
|
{
|
|
switch (type) {
|
|
case 256: // Mismatched value from HM 8.1
|
|
return decode_nal_sei_decoded_picture_hash(&s->picture_hash, gb);
|
|
case SEI_TYPE_FRAME_PACKING_ARRANGEMENT:
|
|
return decode_nal_sei_frame_packing_arrangement(&s->frame_packing, gb);
|
|
case SEI_TYPE_DISPLAY_ORIENTATION:
|
|
return decode_nal_sei_display_orientation(&s->display_orientation, gb);
|
|
case SEI_TYPE_PIC_TIMING:
|
|
return decode_nal_sei_pic_timing(s, gb, ps, logctx, size);
|
|
case SEI_TYPE_MASTERING_DISPLAY_COLOUR_VOLUME:
|
|
return decode_nal_sei_mastering_display_info(&s->mastering_display, gb);
|
|
case SEI_TYPE_CONTENT_LIGHT_LEVEL_INFO:
|
|
return decode_nal_sei_content_light_info(&s->content_light, gb);
|
|
case SEI_TYPE_ACTIVE_PARAMETER_SETS:
|
|
return decode_nal_sei_active_parameter_sets(s, gb, logctx);
|
|
case SEI_TYPE_USER_DATA_REGISTERED_ITU_T_T35:
|
|
return decode_nal_sei_user_data_registered_itu_t_t35(s, gb, logctx, size);
|
|
case SEI_TYPE_USER_DATA_UNREGISTERED:
|
|
return decode_nal_sei_user_data_unregistered(&s->unregistered, gb, size);
|
|
case SEI_TYPE_ALTERNATIVE_TRANSFER_CHARACTERISTICS:
|
|
return decode_nal_sei_alternative_transfer(&s->alternative_transfer, gb);
|
|
case SEI_TYPE_TIME_CODE:
|
|
return decode_nal_sei_timecode(&s->timecode, gb);
|
|
default:
|
|
av_log(logctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type);
|
|
skip_bits_long(gb, 8 * size);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
static int decode_nal_sei_suffix(GetBitContext *gb, void *logctx, HEVCSEI *s,
|
|
int type, int size)
|
|
{
|
|
switch (type) {
|
|
case SEI_TYPE_DECODED_PICTURE_HASH:
|
|
return decode_nal_sei_decoded_picture_hash(&s->picture_hash, gb);
|
|
default:
|
|
av_log(logctx, AV_LOG_DEBUG, "Skipped SUFFIX SEI %d\n", type);
|
|
skip_bits_long(gb, 8 * size);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s,
|
|
const HEVCParamSets *ps, int nal_unit_type)
|
|
{
|
|
int payload_type = 0;
|
|
int payload_size = 0;
|
|
int byte = 0xFF;
|
|
av_log(logctx, AV_LOG_DEBUG, "Decoding SEI\n");
|
|
|
|
while (byte == 0xFF) {
|
|
if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
|
|
return AVERROR_INVALIDDATA;
|
|
byte = get_bits(gb, 8);
|
|
payload_type += byte;
|
|
}
|
|
byte = 0xFF;
|
|
while (byte == 0xFF) {
|
|
if (get_bits_left(gb) < 8 + 8LL*payload_size)
|
|
return AVERROR_INVALIDDATA;
|
|
byte = get_bits(gb, 8);
|
|
payload_size += byte;
|
|
}
|
|
if (get_bits_left(gb) < 8LL*payload_size)
|
|
return AVERROR_INVALIDDATA;
|
|
if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
|
|
return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
|
|
} else { /* nal_unit_type == NAL_SEI_SUFFIX */
|
|
return decode_nal_sei_suffix(gb, logctx, s, payload_type, payload_size);
|
|
}
|
|
}
|
|
|
|
static int more_rbsp_data(GetBitContext *gb)
|
|
{
|
|
return get_bits_left(gb) > 0 && show_bits(gb, 8) != 0x80;
|
|
}
|
|
|
|
int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx, HEVCSEI *s,
|
|
const HEVCParamSets *ps, int type)
|
|
{
|
|
int ret;
|
|
|
|
do {
|
|
ret = decode_nal_sei_message(gb, logctx, s, ps, type);
|
|
if (ret < 0)
|
|
return ret;
|
|
} while (more_rbsp_data(gb));
|
|
return 1;
|
|
}
|
|
|
|
void ff_hevc_reset_sei(HEVCSEI *s)
|
|
{
|
|
av_buffer_unref(&s->a53_caption.buf_ref);
|
|
|
|
for (int i = 0; i < s->unregistered.nb_buf_ref; i++)
|
|
av_buffer_unref(&s->unregistered.buf_ref[i]);
|
|
s->unregistered.nb_buf_ref = 0;
|
|
av_freep(&s->unregistered.buf_ref);
|
|
av_buffer_unref(&s->dynamic_hdr_plus.info);
|
|
}
|