[FFmpeg-devel] avcodec/h264_ps: Check chroma_qp_index_offset

Fixes: 647/clusterfuzz-testcase-5195745823031296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264_ps.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: 647/clusterfuzz-testcase-5195745823031296
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/h264_ps.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>
> diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
> index 8090178395..f4a4a01fbe 100644
> --- a/libavcodec/h264_ps.c
> +++ b/libavcodec/h264_ps.c
> @@ -828,6 +828,12 @@ int ff_h264_decode_picture_parameter_set(GetBitContext
> *gb, AVCodecContext *avct
>      pps->init_qp                              = get_se_golomb(gb) + 26 +
> qp_bd_offset;
>      pps->init_qs                              = get_se_golomb(gb) + 26 +
> qp_bd_offset;
>      pps->chroma_qp_index_offset[0]            = get_se_golomb(gb);
> +    if (pps->chroma_qp_index_offset[0] < -12 ||
> pps->chroma_qp_index_offset[0] > 12) {
> +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0] %d is

This is nonsense. Please remove.

> invalid\n", pps->chroma_qp_index_offset[0]);
> +        ret = AVERROR_INVALIDDATA;
> +        goto fail;
> +    }
> +
>      pps->deblocking_filter_parameters_present = get_bits1(gb);
>      pps->constrained_intra_pred               = get_bits1(gb);
>      pps->redundant_pic_cnt_present            = get_bits1(gb);
> @@ -845,6 +851,11 @@ int ff_h264_decode_picture_parameter_set(GetBitContext
> *gb, AVCodecContext *avct
>                                  pps->scaling_matrix4,
> pps->scaling_matrix8);
>          // second_chroma_qp_index_offset
>          pps->chroma_qp_index_offset[1] = get_se_golomb(gb);
> +        if (pps->chroma_qp_index_offset[1] < -12 ||
> pps->chroma_qp_index_offset[1] > 12) {
> +            av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[1] %d is
> invalid\n", pps->chroma_qp_index_offset[1]);

ditto.

> +            ret = AVERROR_INVALIDDATA;
> +            goto fail;
> +        }
>      } else {
>          pps->chroma_qp_index_offset[1] = pps->chroma_qp_index_offset[0];
>      }
> --
> 2.11.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>

Having log message for every error case would make ffmpeg binary very
big and slow.

On Wed, Feb 22, 2017 at 02:29:00PM +0100, Paul B Mahol wrote:
> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: 647/clusterfuzz-testcase-5195745823031296
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/h264_ps.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> >
> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
> > index 8090178395..f4a4a01fbe 100644
> > --- a/libavcodec/h264_ps.c
> > +++ b/libavcodec/h264_ps.c
> > @@ -828,6 +828,12 @@ int ff_h264_decode_picture_parameter_set(GetBitContext
> > *gb, AVCodecContext *avct
> >      pps->init_qp                              = get_se_golomb(gb) + 26 +
> > qp_bd_offset;
> >      pps->init_qs                              = get_se_golomb(gb) + 26 +
> > qp_bd_offset;
> >      pps->chroma_qp_index_offset[0]            = get_se_golomb(gb);
> > +    if (pps->chroma_qp_index_offset[0] < -12 ||
> > pps->chroma_qp_index_offset[0] > 12) {
> > +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0] %d is
> 
> This is nonsense. Please remove.

Id like to keep the error messages or id like to have someone else
take over h264 maintaince in ffmpeg.


[...]

> Having log message for every error case would make ffmpeg binary very
> big and slow.

I think the effect of the strings and not executed calls is negligible
but iam not opposed to use a ff_elog() or av_elog() or avpriv_elog()
if such macro would exist.

Is anyone against adding and using such a macro ?


[...]

On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Wed, Feb 22, 2017 at 02:29:00PM +0100, Paul B Mahol wrote:
>> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > Fixes: 647/clusterfuzz-testcase-5195745823031296
>> >
>> > Found-by: continuous fuzzing process
>> > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
>> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> > ---
>> >  libavcodec/h264_ps.c | 11 +++++++++++
>> >  1 file changed, 11 insertions(+)
>> >
>> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
>> > index 8090178395..f4a4a01fbe 100644
>> > --- a/libavcodec/h264_ps.c
>> > +++ b/libavcodec/h264_ps.c
>> > @@ -828,6 +828,12 @@ int
>> > ff_h264_decode_picture_parameter_set(GetBitContext
>> > *gb, AVCodecContext *avct
>> >      pps->init_qp                              = get_se_golomb(gb) + 26
>> > +
>> > qp_bd_offset;
>> >      pps->init_qs                              = get_se_golomb(gb) + 26
>> > +
>> > qp_bd_offset;
>> >      pps->chroma_qp_index_offset[0]            = get_se_golomb(gb);
>> > +    if (pps->chroma_qp_index_offset[0] < -12 ||
>> > pps->chroma_qp_index_offset[0] > 12) {
>> > +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0] %d is
>>
>> This is nonsense. Please remove.
>
> Id like to keep the error messages or id like to have someone else
> take over h264 maintaince in ffmpeg.

Than why you are posting patches at all, if you do not want to listen
to reviews.

>
>
> [...]
>
>> Having log message for every error case would make ffmpeg binary very
>> big and slow.
>
> I think the effect of the strings and not executed calls is negligible
> but iam not opposed to use a ff_elog() or av_elog() or avpriv_elog()
> if such macro would exist.
>
> Is anyone against adding and using such a macro ?

On Wed, Feb 22, 2017 at 04:41:43PM +0100, Paul B Mahol wrote:
> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > On Wed, Feb 22, 2017 at 02:29:00PM +0100, Paul B Mahol wrote:
> >> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> > Fixes: 647/clusterfuzz-testcase-5195745823031296
> >> >
> >> > Found-by: continuous fuzzing process
> >> > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> > ---
> >> >  libavcodec/h264_ps.c | 11 +++++++++++
> >> >  1 file changed, 11 insertions(+)
> >> >
> >> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
> >> > index 8090178395..f4a4a01fbe 100644
> >> > --- a/libavcodec/h264_ps.c
> >> > +++ b/libavcodec/h264_ps.c
> >> > @@ -828,6 +828,12 @@ int
> >> > ff_h264_decode_picture_parameter_set(GetBitContext
> >> > *gb, AVCodecContext *avct
> >> >      pps->init_qp                              = get_se_golomb(gb) + 26
> >> > +
> >> > qp_bd_offset;
> >> >      pps->init_qs                              = get_se_golomb(gb) + 26
> >> > +
> >> > qp_bd_offset;
> >> >      pps->chroma_qp_index_offset[0]            = get_se_golomb(gb);
> >> > +    if (pps->chroma_qp_index_offset[0] < -12 ||
> >> > pps->chroma_qp_index_offset[0] > 12) {
> >> > +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0] %d is
> >>
> >> This is nonsense. Please remove.
> >
> > Id like to keep the error messages or id like to have someone else
> > take over h264 maintaince in ffmpeg.
> 
> Than why you are posting patches at all, if you do not want to listen
> to reviews.

ive posted a patchset with ff_elog() instead

do people prefer that ?

[...]

On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Wed, Feb 22, 2017 at 04:41:43PM +0100, Paul B Mahol wrote:
>> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > On Wed, Feb 22, 2017 at 02:29:00PM +0100, Paul B Mahol wrote:
>> >> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> >> > Fixes: 647/clusterfuzz-testcase-5195745823031296
>> >> >
>> >> > Found-by: continuous fuzzing process
>> >> > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
>> >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> >> > ---
>> >> >  libavcodec/h264_ps.c | 11 +++++++++++
>> >> >  1 file changed, 11 insertions(+)
>> >> >
>> >> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
>> >> > index 8090178395..f4a4a01fbe 100644
>> >> > --- a/libavcodec/h264_ps.c
>> >> > +++ b/libavcodec/h264_ps.c
>> >> > @@ -828,6 +828,12 @@ int
>> >> > ff_h264_decode_picture_parameter_set(GetBitContext
>> >> > *gb, AVCodecContext *avct
>> >> >      pps->init_qp                              = get_se_golomb(gb) +
>> >> > 26
>> >> > +
>> >> > qp_bd_offset;
>> >> >      pps->init_qs                              = get_se_golomb(gb) +
>> >> > 26
>> >> > +
>> >> > qp_bd_offset;
>> >> >      pps->chroma_qp_index_offset[0]            = get_se_golomb(gb);
>> >> > +    if (pps->chroma_qp_index_offset[0] < -12 ||
>> >> > pps->chroma_qp_index_offset[0] > 12) {
>> >> > +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0] %d
>> >> > is
>> >>
>> >> This is nonsense. Please remove.
>> >
>> > Id like to keep the error messages or id like to have someone else
>> > take over h264 maintaince in ffmpeg.
>>
>> Than why you are posting patches at all, if you do not want to listen
>> to reviews.
>
> ive posted a patchset with ff_elog() instead
>
> do people prefer that ?
>
> [...]

You could right now start adding such messages at every error path.

On Wed, Feb 22, 2017 at 07:40:24PM +0100, Paul B Mahol wrote:
> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > On Wed, Feb 22, 2017 at 04:41:43PM +0100, Paul B Mahol wrote:
> >> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> > On Wed, Feb 22, 2017 at 02:29:00PM +0100, Paul B Mahol wrote:
> >> >> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> >> > Fixes: 647/clusterfuzz-testcase-5195745823031296
> >> >> >
> >> >> > Found-by: continuous fuzzing process
> >> >> > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> >> >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> >> > ---
> >> >> >  libavcodec/h264_ps.c | 11 +++++++++++
> >> >> >  1 file changed, 11 insertions(+)
> >> >> >
> >> >> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
> >> >> > index 8090178395..f4a4a01fbe 100644
> >> >> > --- a/libavcodec/h264_ps.c
> >> >> > +++ b/libavcodec/h264_ps.c
> >> >> > @@ -828,6 +828,12 @@ int
> >> >> > ff_h264_decode_picture_parameter_set(GetBitContext
> >> >> > *gb, AVCodecContext *avct
> >> >> >      pps->init_qp                              = get_se_golomb(gb) +
> >> >> > 26
> >> >> > +
> >> >> > qp_bd_offset;
> >> >> >      pps->init_qs                              = get_se_golomb(gb) +
> >> >> > 26
> >> >> > +
> >> >> > qp_bd_offset;
> >> >> >      pps->chroma_qp_index_offset[0]            = get_se_golomb(gb);
> >> >> > +    if (pps->chroma_qp_index_offset[0] < -12 ||
> >> >> > pps->chroma_qp_index_offset[0] > 12) {
> >> >> > +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0] %d
> >> >> > is
> >> >>
> >> >> This is nonsense. Please remove.
> >> >
> >> > Id like to keep the error messages or id like to have someone else
> >> > take over h264 maintaince in ffmpeg.
> >>
> >> Than why you are posting patches at all, if you do not want to listen
> >> to reviews.
> >
> > ive posted a patchset with ff_elog() instead
> >
> > do people prefer that ?
> >
> > [...]
> 
> You could right now start adding such messages at every error path.

ill push my patch without the error messages, i think i failed to
realize how much the error messages annoy you.

[...]

On 2/23/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Wed, Feb 22, 2017 at 07:40:24PM +0100, Paul B Mahol wrote:
>> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > On Wed, Feb 22, 2017 at 04:41:43PM +0100, Paul B Mahol wrote:
>> >> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> >> > On Wed, Feb 22, 2017 at 02:29:00PM +0100, Paul B Mahol wrote:
>> >> >> On 2/22/17, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> >> >> > Fixes: 647/clusterfuzz-testcase-5195745823031296
>> >> >> >
>> >> >> > Found-by: continuous fuzzing process
>> >> >> > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
>> >> >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> >> >> > ---
>> >> >> >  libavcodec/h264_ps.c | 11 +++++++++++
>> >> >> >  1 file changed, 11 insertions(+)
>> >> >> >
>> >> >> > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
>> >> >> > index 8090178395..f4a4a01fbe 100644
>> >> >> > --- a/libavcodec/h264_ps.c
>> >> >> > +++ b/libavcodec/h264_ps.c
>> >> >> > @@ -828,6 +828,12 @@ int
>> >> >> > ff_h264_decode_picture_parameter_set(GetBitContext
>> >> >> > *gb, AVCodecContext *avct
>> >> >> >      pps->init_qp                              = get_se_golomb(gb)
>> >> >> > +
>> >> >> > 26
>> >> >> > +
>> >> >> > qp_bd_offset;
>> >> >> >      pps->init_qs                              = get_se_golomb(gb)
>> >> >> > +
>> >> >> > 26
>> >> >> > +
>> >> >> > qp_bd_offset;
>> >> >> >      pps->chroma_qp_index_offset[0]            =
>> >> >> > get_se_golomb(gb);
>> >> >> > +    if (pps->chroma_qp_index_offset[0] < -12 ||
>> >> >> > pps->chroma_qp_index_offset[0] > 12) {
>> >> >> > +        av_log(avctx, AV_LOG_ERROR, "chroma_qp_index_offset[0]
>> >> >> > %d
>> >> >> > is
>> >> >>
>> >> >> This is nonsense. Please remove.
>> >> >
>> >> > Id like to keep the error messages or id like to have someone else
>> >> > take over h264 maintaince in ffmpeg.
>> >>
>> >> Than why you are posting patches at all, if you do not want to listen
>> >> to reviews.
>> >
>> > ive posted a patchset with ff_elog() instead
>> >
>> > do people prefer that ?
>> >
>> > [...]
>>
>> You could right now start adding such messages at every error path.
>
> ill push my patch without the error messages, i think i failed to
> realize how much the error messages annoy you.

You can apply elog variant if you really need it.