[FFmpeg-devel] avcodec/mpeg4_unpack_bframes_bsf: Improve DivX userdata check

Submitted by Andreas Rheinhardt on March 11, 2019, 11:36 a.m.

Details

Message ID 20190311113608.4140-1-andreas.rheinhardt@googlemail.com
State New
Headers show

Commit Message

Andreas Rheinhardt March 11, 2019, 11:36 a.m.
The earlier version didn't really check that the 'p' of a "p\0" is
actually part of a user_data section, instead it treated the first
"p\0" after the start of a user_data section as end of a user_data
section if it is close enough to the beginning of the user_data section;
it actually needn't be part of a user_data section at all.

Furthermore, the code worked under the assumption that there is a 0x00
after the 'p' although this might not be true for extradata if the
user_data unit is at the end of the extradata.

Both of these flaws have been fixed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
---
The earlier version was inspired by the check for packed bitstreams in
decode_user_data() in mpeg4videodec.c where the "DivX" is mandatory,
too.
Note that this new version relies on there being no binary zero inside
the user data.
 libavcodec/mpeg4_unpack_bframes_bsf.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Michael Niedermayer March 11, 2019, 10:26 p.m.
On Mon, Mar 11, 2019 at 12:36:08PM +0100, Andreas Rheinhardt wrote:
> The earlier version didn't really check that the 'p' of a "p\0" is
> actually part of a user_data section, instead it treated the first
> "p\0" after the start of a user_data section as end of a user_data
> section if it is close enough to the beginning of the user_data section;
> it actually needn't be part of a user_data section at all.
> 
> Furthermore, the code worked under the assumption that there is a 0x00
> after the 'p' although this might not be true for extradata if the
> user_data unit is at the end of the extradata.
> 
> Both of these flaws have been fixed.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
> ---
> The earlier version was inspired by the check for packed bitstreams in
> decode_user_data() in mpeg4videodec.c where the "DivX" is mandatory,
> too.

> Note that this new version relies on there being no binary zero inside
> the user data.

Is this based on anything from the spec ?


[...]
Andreas Rheinhardt March 11, 2019, 10:56 p.m.
Michael Niedermayer:
> On Mon, Mar 11, 2019 at 12:36:08PM +0100, Andreas Rheinhardt wrote:
>> The earlier version didn't really check that the 'p' of a "p\0" is
>> actually part of a user_data section, instead it treated the first
>> "p\0" after the start of a user_data section as end of a user_data
>> section if it is close enough to the beginning of the user_data section;
>> it actually needn't be part of a user_data section at all.
>>
>> Furthermore, the code worked under the assumption that there is a 0x00
>> after the 'p' although this might not be true for extradata if the
>> user_data unit is at the end of the extradata.
>>
>> Both of these flaws have been fixed.
>>
>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
>> ---
>> The earlier version was inspired by the check for packed bitstreams in
>> decode_user_data() in mpeg4videodec.c where the "DivX" is mandatory,
>> too.
> 
>> Note that this new version relies on there being no binary zero inside
>> the user data.
> 
> Is this based on anything from the spec ?

No. According to the spec, a user_data ends upon the next occurence of
a byte-aligned 0x000001 (and it may not contain a non-byte-aligned
0x000001), so it is allowed to have a binary zero in there. But I
thought that a user_data for indicating a packed bitstream is a
string, so shouldn't contain a binary zero. I can modify this if
desired. (If so, does a "p\0" where the 'p' is part of the user_data
be taken to indicate a packed bitstream or does the 'p' have to be the
last nonzero character of the user_data?)

(And shouldn't the same logic also be applied to the decoder (that
currently requires the "DivX" to conclude that a stream is a packed
bitstream)?)

Patch hide | download patch | download mbox

diff --git a/libavcodec/mpeg4_unpack_bframes_bsf.c b/libavcodec/mpeg4_unpack_bframes_bsf.c
index 1daf133ce5..37bb0b20e3 100644
--- a/libavcodec/mpeg4_unpack_bframes_bsf.c
+++ b/libavcodec/mpeg4_unpack_bframes_bsf.c
@@ -41,11 +41,12 @@  static void scan_buffer(const uint8_t *buf, int buf_size,
 
         if (startcode == USER_DATA_STARTCODE && pos_p) {
             /* check if the (DivX) userdata string ends with 'p' (packed) */
-            for (int i = 0; i < 255 && pos + i + 1 < end; i++) {
-                if (pos[i] == 'p' && pos[i + 1] == '\0') {
+            for (int i = 0; i < 255 && pos + i < end; i++) {
+                if (pos[i] == 'p' && (pos + i + 1 == end || pos[i + 1] == '\0')) {
                     *pos_p = pos + i - buf;
                     break;
-                }
+                } else if (pos[i] == 0)
+                    break;
             }
         } else if (startcode == VOP_STARTCODE && nb_vop) {
             *nb_vop += 1;