diff options
Diffstat (limited to 'libavcodec/h264_parse.c')
-rw-r--r-- | libavcodec/h264_parse.c | 77 |
1 files changed, 48 insertions, 29 deletions
diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index d694558ecc..0c873196dc 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -1,18 +1,18 @@ /* - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -26,7 +26,7 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, const int *ref_count, int slice_type_nos, - H264PredWeightTable *pwt) + H264PredWeightTable *pwt, void *logctx) { int list, i, j; int luma_def, chroma_def; @@ -36,6 +36,16 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->luma_log2_weight_denom = get_ue_golomb(gb); if (sps->chroma_format_idc) pwt->chroma_log2_weight_denom = get_ue_golomb(gb); + + if (pwt->luma_log2_weight_denom > 7U) { + av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom); + pwt->luma_log2_weight_denom = 0; + } + if (pwt->chroma_log2_weight_denom > 7U) { + av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); + pwt->chroma_log2_weight_denom = 0; + } + luma_def = 1 << pwt->luma_log2_weight_denom; chroma_def = 1 << pwt->chroma_log2_weight_denom; @@ -116,7 +126,7 @@ int ff_h264_check_intra4x4_pred_mode(int8_t *pred_mode_cache, void *logctx, int status = top[pred_mode_cache[scan8[0] + i]]; if (status < 0) { av_log(logctx, AV_LOG_ERROR, - "top block unavailable for requested intra4x4 mode %d\n", + "top block unavailable for requested intra mode %d\n", status); return AVERROR_INVALIDDATA; } else if (status) { @@ -172,17 +182,17 @@ int ff_h264_check_intra_pred_mode(void *logctx, int top_samples_available, if ((left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; + if (mode < 0) { + av_log(logctx, AV_LOG_ERROR, + "left block unavailable for requested intra mode\n"); + return AVERROR_INVALIDDATA; + } if (is_chroma && (left_samples_available & 0x8080)) { // mad cow disease mode, aka MBAFF + constrained_intra_pred mode = ALZHEIMER_DC_L0T_PRED8x8 + (!(left_samples_available & 0x8000)) + 2 * (mode == DC_128_PRED8x8); } - if (mode < 0) { - av_log(logctx, AV_LOG_ERROR, - "left block unavailable for requested intra mode\n"); - return AVERROR_INVALIDDATA; - } } return mode; @@ -190,27 +200,36 @@ int ff_h264_check_intra_pred_mode(void *logctx, int top_samples_available, int ff_h264_parse_ref_count(int *plist_count, int ref_count[2], GetBitContext *gb, const PPS *pps, - int slice_type_nos, int picture_structure) + int slice_type_nos, int picture_structure, void *logctx) { int list_count; - int num_ref_idx_active_override_flag, max_refs; + int num_ref_idx_active_override_flag; // set defaults, might be overridden a few lines later ref_count[0] = pps->ref_count[0]; ref_count[1] = pps->ref_count[1]; if (slice_type_nos != AV_PICTURE_TYPE_I) { + unsigned max[2]; + max[0] = max[1] = picture_structure == PICT_FRAME ? 15 : 31; + num_ref_idx_active_override_flag = get_bits1(gb); if (num_ref_idx_active_override_flag) { ref_count[0] = get_ue_golomb(gb) + 1; - if (ref_count[0] < 1) - goto fail; if (slice_type_nos == AV_PICTURE_TYPE_B) { ref_count[1] = get_ue_golomb(gb) + 1; - if (ref_count[1] < 1) - goto fail; - } + } else + // full range is spec-ok in this case, even for frames + ref_count[1] = 1; + } + + if (ref_count[0] - 1 > max[0] || ref_count[1] - 1 > max[1]) { + av_log(logctx, AV_LOG_ERROR, "reference overflow %u > %u or %u > %u\n", + ref_count[0] - 1, max[0], ref_count[1] - 1, max[1]); + ref_count[0] = ref_count[1] = 0; + *plist_count = 0; + goto fail; } if (slice_type_nos == AV_PICTURE_TYPE_B) @@ -222,11 +241,6 @@ int ff_h264_parse_ref_count(int *plist_count, int ref_count[2], ref_count[0] = ref_count[1] = 0; } - max_refs = picture_structure == PICT_FRAME ? 16 : 32; - - if (ref_count[0] > max_refs || ref_count[1] > max_refs) - goto fail; - *plist_count = list_count; return 0; @@ -323,15 +337,17 @@ static int decode_extradata_ps(const uint8_t *data, int size, H264ParamSets *ps, H2645Packet pkt = { 0 }; int i, ret = 0; - ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264); - if (ret < 0) + ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264, 1); + if (ret < 0) { + ret = 0; goto fail; + } for (i = 0; i < pkt.nb_nals; i++) { H2645NAL *nal = &pkt.nals[i]; switch (nal->type) { case H264_NAL_SPS: - ret = ff_h264_decode_seq_parameter_set(&nal->gb, logctx, ps); + ret = ff_h264_decode_seq_parameter_set(&nal->gb, logctx, ps, 0); if (ret < 0) goto fail; break; @@ -409,6 +425,9 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps, { int ret; + if (!data || size <= 0) + return -1; + if (data[0] == 1) { int i, cnt, nalsize; const uint8_t *p = data; @@ -425,7 +444,7 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps, p += 6; for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; - if (p - data + nalsize > size) + if (nalsize > size - (p - data)) return AVERROR_INVALIDDATA; ret = decode_extradata_ps_mp4(p, nalsize, ps, err_recognition, logctx); if (ret < 0) { @@ -439,7 +458,7 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps, cnt = *(p++); // Number of pps for (i = 0; i < cnt; i++) { nalsize = AV_RB16(p) + 2; - if (p - data + nalsize > size) + if (nalsize > size - (p - data)) return AVERROR_INVALIDDATA; ret = decode_extradata_ps_mp4(p, nalsize, ps, err_recognition, logctx); if (ret < 0) { @@ -457,7 +476,7 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps, if (ret < 0) return ret; } - return 0; + return size; } /** |