X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fh264_ps.c;h=fa9fa7d25b32d9deaf627d2118ef745d774f7e7f;hb=99404597201911de90cff2ef85f2d44176d39147;hp=9eb252dffaf9e59204d4ca06d59d1745bc85d101;hpb=bfd26b7ce6efea594f2b99441d900419df3af638;p=ffmpeg diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 9eb252dffaf..fa9fa7d25b3 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -25,6 +25,8 @@ * @author Michael Niedermayer */ +#include + #include "libavutil/imgutils.h" #include "internal.h" #include "avcodec.h" @@ -186,7 +188,7 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps) sps->time_scale = get_bits_long(&h->gb, 32); if (!sps->num_units_in_tick || !sps->time_scale) { av_log(h->avctx, AV_LOG_ERROR, - "time_scale/num_units_in_tick invalid or unsupported (%d/%d)\n", + "time_scale/num_units_in_tick invalid or unsupported (%"PRIu32"/%"PRIu32")\n", sps->time_scale, sps->num_units_in_tick); return AVERROR_INVALIDDATA; } @@ -224,7 +226,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps) if (sps->num_reorder_frames > 16U /* max_dec_frame_buffering || max_dec_frame_buffering > 16 */) { av_log(h->avctx, AV_LOG_ERROR, - "illegal num_reorder_frames %d\n", sps->num_reorder_frames); + "Clipping illegal num_reorder_frames %d\n", + sps->num_reorder_frames); + sps->num_reorder_frames = 16; return AVERROR_INVALIDDATA; } } @@ -304,18 +308,21 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) constraint_set_flags |= get_bits1(&h->gb) << 1; // constraint_set1_flag constraint_set_flags |= get_bits1(&h->gb) << 2; // constraint_set2_flag constraint_set_flags |= get_bits1(&h->gb) << 3; // constraint_set3_flag - get_bits(&h->gb, 4); // reserved + constraint_set_flags |= get_bits1(&h->gb) << 4; // constraint_set4_flag + constraint_set_flags |= get_bits1(&h->gb) << 5; // constraint_set5_flag + skip_bits(&h->gb, 2); // reserved_zero_2bits level_idc = get_bits(&h->gb, 8); sps_id = get_ue_golomb_31(&h->gb); if (sps_id >= MAX_SPS_COUNT) { - av_log(h->avctx, AV_LOG_ERROR, "sps_id (%d) out of range\n", sps_id); + av_log(h->avctx, AV_LOG_ERROR, "sps_id %u out of range\n", sps_id); return AVERROR_INVALIDDATA; } sps = av_mallocz(sizeof(SPS)); if (!sps) return AVERROR(ENOMEM); + sps->sps_id = sps_id; sps->time_offset_length = 24; sps->profile_idc = profile_idc; sps->constraint_set_flags = constraint_set_flags; @@ -325,16 +332,21 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8)); sps->scaling_matrix_present = 0; - if (sps->profile_idc == 100 || sps->profile_idc == 110 || - sps->profile_idc == 122 || sps->profile_idc == 244 || - sps->profile_idc == 44 || sps->profile_idc == 83 || - sps->profile_idc == 86 || sps->profile_idc == 118 || - sps->profile_idc == 128 || sps->profile_idc == 144) { + if (sps->profile_idc == 100 || // High profile + sps->profile_idc == 110 || // High10 profile + sps->profile_idc == 122 || // High422 profile + sps->profile_idc == 244 || // High444 Predictive profile + sps->profile_idc == 44 || // Cavlc444 profile + sps->profile_idc == 83 || // Scalable Constrained High profile (SVC) + sps->profile_idc == 86 || // Scalable High Intra profile (SVC) + sps->profile_idc == 118 || // Stereo High profile (MVC) + sps->profile_idc == 128 || // Multiview High profile (MVC) + sps->profile_idc == 138 || // Multiview Depth High profile (MVCD) + sps->profile_idc == 144) { // old High444 profile sps->chroma_format_idc = get_ue_golomb_31(&h->gb); if (sps->chroma_format_idc > 3) { - av_log(h->avctx, AV_LOG_ERROR, - "chroma_format_idc (%u) out of range\n", - sps->chroma_format_idc); + avpriv_request_sample(h->avctx, "chroma_format_idc %u", + sps->chroma_format_idc); goto fail; } else if (sps->chroma_format_idc == 3) { sps->residual_color_transform_flag = get_bits1(&h->gb); @@ -378,7 +390,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) if ((unsigned)sps->poc_cycle_length >= FF_ARRAY_ELEMS(sps->offset_for_ref_frame)) { av_log(h->avctx, AV_LOG_ERROR, - "poc_cycle_length overflow %u\n", sps->poc_cycle_length); + "poc_cycle_length overflow %d\n", sps->poc_cycle_length); goto fail; } @@ -390,9 +402,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) } sps->ref_frame_count = get_ue_golomb_31(&h->gb); - if (sps->ref_frame_count > MAX_PICTURE_COUNT - 2 || + if (sps->ref_frame_count > H264_MAX_PICTURE_COUNT - 2 || sps->ref_frame_count >= 32U) { - av_log(h->avctx, AV_LOG_ERROR, "too many reference frames\n"); + av_log(h->avctx, AV_LOG_ERROR, + "too many reference frames %d\n", sps->ref_frame_count); goto fail; } sps->gaps_in_frame_num_allowed_flag = get_bits1(&h->gb); @@ -426,14 +439,14 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) #endif sps->crop = get_bits1(&h->gb); if (sps->crop) { - int crop_left = get_ue_golomb(&h->gb); - int crop_right = get_ue_golomb(&h->gb); - int crop_top = get_ue_golomb(&h->gb); - int crop_bottom = get_ue_golomb(&h->gb); + unsigned int crop_left = get_ue_golomb(&h->gb); + unsigned int crop_right = get_ue_golomb(&h->gb); + unsigned int crop_top = get_ue_golomb(&h->gb); + unsigned int crop_bottom = get_ue_golomb(&h->gb); - if (h->avctx->flags2 & CODEC_FLAG2_IGNORE_CROP) { + if (h->avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) { av_log(h->avctx, AV_LOG_DEBUG, "discarding sps cropping, original " - "values are l:%u r:%u t:%u b:%u\n", + "values are l:%d r:%d t:%d b:%d\n", crop_left, crop_right, crop_top, crop_bottom); sps->crop_left = @@ -448,7 +461,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) int step_y = (2 - sps->frame_mbs_only_flag) << vsub; if (crop_left & (0x1F >> (sps->bit_depth_luma > 8)) && - !(h->avctx->flags & CODEC_FLAG_UNALIGNED)) { + !(h->avctx->flags & AV_CODEC_FLAG_UNALIGNED)) { crop_left &= ~(0x1F >> (sps->bit_depth_luma > 8)); av_log(h->avctx, AV_LOG_WARNING, "Reducing left cropping to %d " @@ -456,6 +469,18 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) crop_left); } + if (INT_MAX / step_x <= crop_left || + INT_MAX / step_x - crop_left <= crop_right || + 16 * sps->mb_width <= step_x * (crop_left + crop_right) || + INT_MAX / step_y <= crop_top || + INT_MAX / step_y - crop_top <= crop_bottom || + 16 * sps->mb_height <= step_y * (crop_top + crop_bottom)) { + av_log(h->avctx, AV_LOG_WARNING, "Invalid crop parameters\n"); + if (h->avctx->err_recognition & AV_EF_EXPLODE) + goto fail; + crop_left = crop_right = crop_top = crop_bottom = 0; + } + sps->crop_left = crop_left * step_x; sps->crop_right = crop_right * step_x; sps->crop_top = crop_top * step_y; @@ -482,7 +507,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) if (h->avctx->debug & FF_DEBUG_PICT_INFO) { static const char csp[4][5] = { "Gray", "420", "422", "444" }; av_log(h->avctx, AV_LOG_DEBUG, - "sps:%u profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%d/%d/%d/%d %s %s %d/%d\n", + "sps:%u profile:%d/%d poc:%d ref:%d %dx%d %s %s crop:%u/%u/%u/%u %s %s %"PRId32"/%"PRId32"\n", sps_id, sps->profile_idc, sps->level_idc, sps->poc_type, sps->ref_frame_count, @@ -501,13 +526,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) av_free(h->sps_buffers[sps_id]); h->sps_buffers[sps_id] = sps; h->sps = *sps; - h->current_sps_id = sps_id; return 0; fail: av_free(sps); - return -1; + return AVERROR_INVALIDDATA; } static void build_qp_table(PPS *pps, int t, int index, const int depth) @@ -521,19 +545,16 @@ static void build_qp_table(PPS *pps, int t, int index, const int depth) int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length) { + const SPS *sps; unsigned int pps_id = get_ue_golomb(&h->gb); PPS *pps; - const int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); + int qp_bd_offset; int bits_left; + int ret; if (pps_id >= MAX_PPS_COUNT) { - av_log(h->avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); + av_log(h->avctx, AV_LOG_ERROR, "pps_id %u out of range\n", pps_id); return AVERROR_INVALIDDATA; - } else if (h->sps.bit_depth_luma > 10) { - av_log(h->avctx, AV_LOG_ERROR, - "Unimplemented luma bit depth=%d (max=10)\n", - h->sps.bit_depth_luma); - return AVERROR_PATCHWELCOME; } pps = av_mallocz(sizeof(PPS)); @@ -541,8 +562,18 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length) return AVERROR(ENOMEM); pps->sps_id = get_ue_golomb_31(&h->gb); if ((unsigned)pps->sps_id >= MAX_SPS_COUNT || - h->sps_buffers[pps->sps_id] == NULL) { - av_log(h->avctx, AV_LOG_ERROR, "sps_id out of range\n"); + !h->sps_buffers[pps->sps_id]) { + av_log(h->avctx, AV_LOG_ERROR, "sps_id %u out of range\n", pps->sps_id); + ret = AVERROR_INVALIDDATA; + goto fail; + } + sps = h->sps_buffers[pps->sps_id]; + + if (sps->bit_depth_luma > 10) { + av_log(h->avctx, AV_LOG_ERROR, + "Unimplemented luma bit depth=%d (max=10)\n", + sps->bit_depth_luma); + ret = AVERROR_PATCHWELCOME; goto fail; } @@ -588,9 +619,12 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length) pps->ref_count[1] = get_ue_golomb(&h->gb) + 1; if (pps->ref_count[0] - 1 > 32 - 1 || pps->ref_count[1] - 1 > 32 - 1) { av_log(h->avctx, AV_LOG_ERROR, "reference overflow (pps)\n"); + ret = AVERROR_INVALIDDATA; goto fail; } + qp_bd_offset = 6 * (sps->bit_depth_luma - 8); + pps->weighted_pred = get_bits1(&h->gb); pps->weighted_bipred_idc = get_bits(&h->gb, 2); pps->init_qp = get_se_golomb(&h->gb) + 26 + qp_bd_offset; @@ -621,15 +655,15 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length) } build_qp_table(pps, 0, pps->chroma_qp_index_offset[0], - h->sps.bit_depth_luma); + sps->bit_depth_luma); build_qp_table(pps, 1, pps->chroma_qp_index_offset[1], - h->sps.bit_depth_luma); + sps->bit_depth_luma); if (pps->chroma_qp_index_offset[0] != pps->chroma_qp_index_offset[1]) pps->chroma_qp_diff = 1; if (h->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(h->avctx, AV_LOG_DEBUG, - "pps:%u sps:%u %s slice_groups:%d ref:%d/%d %s qp:%d/%d/%d/%d %s %s %s %s\n", + "pps:%u sps:%u %s slice_groups:%d ref:%u/%u %s qp:%d/%d/%d/%d %s %s %s %s\n", pps_id, pps->sps_id, pps->cabac ? "CABAC" : "CAVLC", pps->slice_group_count, @@ -648,5 +682,5 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length) fail: av_free(pps); - return -1; + return ret; }