From patchwork Thu Oct 17 08:29:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 15801 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 6A04D449FA2 for ; Thu, 17 Oct 2019 11:30:51 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5B28968A6F9; Thu, 17 Oct 2019 11:30:51 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 05CFC68A6D1 for ; Thu, 17 Oct 2019 11:30:42 +0300 (EEST) Received: by mail-wr1-f65.google.com with SMTP id r5so1254777wrm.12 for ; Thu, 17 Oct 2019 01:30:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=vJf9khGdTd2HqS5h95COPK4sYzu+lpZOH7FcgvPY1Eo=; b=r7bdz70/G6NZO0tlKNPr0fz3+OxXJs6lpiLjEk+46gLoQD81gA/9ZazQGX247r0MHC cofsZncU7JC6U3/d5HPYzdII4vnB83pfjyjDFDnc/3kn/D9/gCOAnrJqGrZZYNrv5bMv 3pVrZhzYBMr0LklAzLoLW+XpIAlVF9qBBYTw4m4yFWLLLKIxH078KPkcH98xTj8auFxC LX9N/kkRCcGuv3lXv7/ogcXVsCHD9RQopYp6isaKZHPXTdUq5SMl4DWqffrOeKCC89wH t4GS8kChuhxAJRg/LJ9OyfFo3vvJdOs/YJQh5B6aJdYeM985B3kINCNwP2xdD5VcQ23W iGBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vJf9khGdTd2HqS5h95COPK4sYzu+lpZOH7FcgvPY1Eo=; b=SlN+r3D+FnlAntwgeVUQv1vovBAuklCj7g3/QhDB9p5tidCtAw6DvY4sx1UaKO43fx qF/KLCbRSBAbYZX3KXJ+YEGOilSV35lE+LAtw6OpzO6BExeZOKjJ883ye1uU+1AMG2sW lAeWHlUUGljxwSEbYX+axi2bPuEMD38f3/Xx5U9Onz0L3nXukvzt+4p2LRthQk8WpEPk EzZiVPLW5PAbRUFbf1PatQgFRrHRzoprk9gqVYFQgRX0+nckYoG4hwMvQuHDFTIaK9Jv pZlxHmrAx6k9tDWkff83zB/25c3r8uJubesmmsrJPdA7DkD8IjTSTqveOhwzPYZkFLzZ lQHg== X-Gm-Message-State: APjAAAVwvuwkQhoeZm5wbxQXtcMfEhGfVUVhIiVvv1JYpZBMDcYEDKmP QVqBpT2XN3eTz4aoXXPqfaeaOC8U X-Google-Smtp-Source: APXvYqyUAFGxwkTkpRCcRBHM7U3IYPuwMcubjdqZjuFwXJuGqHnh/a+/7AGRL9NAInj7v2ph+5lBhA== X-Received: by 2002:a5d:5347:: with SMTP id t7mr1849098wrv.1.1571301041343; Thu, 17 Oct 2019 01:30:41 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc08937.dynamic.kabel-deutschland.de. [188.192.137.55]) by smtp.gmail.com with ESMTPSA id l7sm1369273wrv.77.2019.10.17.01.30.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Oct 2019 01:30:40 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 17 Oct 2019 10:29:36 +0200 Message-Id: <20191017082945.13534-6-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191017082945.13534-1-andreas.rheinhardt@gmail.com> References: <20191017082945.13534-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 06/15] h264_mp4toannexb: Don't forget numOfPictureParameterSets X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The format of an AVCDecoderConfigurationRecord, the out-of-band extradata of H.264 in mp4, is as follows: First four bytes containing version, profile and level, one byte for the length size and one byte each for the number of SPS, followed by the SPS (each with its own size field), followed by a byte containing the number of PPS followed by the PPS with their size fields. While the number of SPS/PPS may be zero, the bytes containing these numbers are mandatory. Yet the byte containing the number of PPS has been ignored in two places: 1. In the initial check for whether the extradata can contain an AVCDecoderConfigurationRecord. The minimum size is 7, not 6. 2. No check is made for whether the extradata ended right after the last byte of the last SPS of the SPS array. Instead the first byte of the padding is read as if it were part of the extradata and contained the number of PPS (namely zero, given that the padding is zeroed). No error or warning was ever raised. This has been changed. Such truncated extradata is now considered invalid; the check for 2. has been incorporated into the general size check. Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_mp4toannexb_bsf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 629f63a751..270287dc1e 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -102,8 +102,8 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding) unit_size = bytestream2_get_be16u(gb); total_size += unit_size + 4; av_assert1(total_size <= INT_MAX - padding); - if (bytestream2_get_bytes_leftu(gb) < unit_size) { - av_log(ctx, AV_LOG_ERROR, "Packet header is not contained in global extradata, " + if (bytestream2_get_bytes_leftu(gb) < unit_size + !sps_done) { + av_log(ctx, AV_LOG_ERROR, "Global extradata truncated, " "corrupted stream or invalid MP4/AVCC bitstream\n"); av_free(out); return AVERROR_INVALIDDATA; @@ -154,7 +154,7 @@ static int h264_mp4toannexb_init(AVBSFContext *ctx) (extra_size >= 4 && AV_RB32(ctx->par_in->extradata) == 1)) { av_log(ctx, AV_LOG_VERBOSE, "The input looks like it is Annex B already\n"); - } else if (extra_size >= 6) { + } else if (extra_size >= 7) { ret = h264_extradata_to_annexb(ctx, AV_INPUT_BUFFER_PADDING_SIZE); if (ret < 0) return ret;