From patchwork Wed Mar 11 10:39:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Fu, Linjie" X-Patchwork-Id: 18117 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 13DAD44861E for ; Wed, 11 Mar 2020 12:43:55 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EEF0468ABC2; Wed, 11 Mar 2020 12:43:54 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0B315688138 for ; Wed, 11 Mar 2020 12:43:47 +0200 (EET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Mar 2020 03:43:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,540,1574150400"; d="scan'208";a="415523402" Received: from icl-dev.sh.intel.com ([10.239.158.73]) by orsmga005.jf.intel.com with ESMTP; 11 Mar 2020 03:43:44 -0700 From: Linjie Fu To: ffmpeg-devel@ffmpeg.org Date: Wed, 11 Mar 2020 18:39:05 +0800 Message-Id: <1583923145-9182-1-git-send-email-linjie.fu@intel.com> X-Mailer: git-send-email 2.7.4 Subject: [FFmpeg-devel] [PATCH] lavc/vp9: fix reference frame dimensions check X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Linjie Fu MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" With the description in frame size with refs semantics (SPEC 7.2.5), it is a requirement of bitstream conformance that for at least one reference frame has the valid dimensions. Modify the check to make sure the decoder works well in the condition that not all references frames have valid dimensions. Signed-off-by: Linjie Fu --- Fix the the decoding faiure for frames with dimension-ilegal refs. Verifying with native vp9 and libvpx-vp9 decoder, the md5 result matches. https://github.com/webmproject/libvpx/blob/master/vp9/decoder/vp9_decodeframe.c#L1580 libavcodec/vp9.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 7aaae9b..61d60ef 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -794,6 +794,7 @@ static int decode_frame_header(AVCodecContext *avctx, /* check reference frames */ if (!s->s.h.keyframe && !s->s.h.intraonly) { + int valid_ref_frame = 0; for (i = 0; i < 3; i++) { AVFrame *ref = s->s.refs[s->s.h.refidx[i]].f; int refw = ref->width, refh = ref->height; @@ -807,18 +808,23 @@ static int decode_frame_header(AVCodecContext *avctx, } else if (refw == w && refh == h) { s->mvscale[i][0] = s->mvscale[i][1] = 0; } else { + /* Check to make sure at least one of frames that */ + /* this frame references has valid dimensions. */ if (w * 2 < refw || h * 2 < refh || w > 16 * refw || h > 16 * refh) { - av_log(avctx, AV_LOG_ERROR, + av_log(avctx, AV_LOG_WARNING, "Invalid ref frame dimensions %dx%d for frame size %dx%d\n", refw, refh, w, h); - return AVERROR_INVALIDDATA; + continue; } s->mvscale[i][0] = (refw << 14) / w; s->mvscale[i][1] = (refh << 14) / h; s->mvstep[i][0] = 16 * s->mvscale[i][0] >> 14; s->mvstep[i][1] = 16 * s->mvscale[i][1] >> 14; } + valid_ref_frame++; } + if (!valid_ref_frame) + return AVERROR_INVALIDDATA; } if (s->s.h.keyframe || s->s.h.errorres || (s->s.h.intraonly && s->s.h.resetctx == 3)) {